Missing Tls in Axum with Firestore
Missing Tls in Axum with Firestore — how this specific combination creates or exposes the vulnerability
When an Axum service communicates with Firestore without Transport Layer Security (TLS), credentials and data traverse the network in cleartext. Firestore uses HTTPS endpoints; omitting TLS means requests are sent over HTTP or with invalid certificates, exposing authentication tokens, project IDs, and potentially document content. This combination is particularly risky because Firestore connections often carry long-lived service account keys or OAuth tokens that, if intercepted, enable attackers to access or modify your database.
Middleware that terminates TLS before reaching Axum can also introduce misconfigurations where backend routes to Firestore inadvertently use an unencrypted channel. For example, a service behind a load balancer might resolve the Firestore host to an internal IP that defaults to HTTP if the client library is not explicitly configured for HTTPS. Since middleBrick scans unauthenticated attack surfaces, it can detect that an endpoint accepting Firestore-bound requests does not enforce TLS, flagging the communication path as an exposure even when the API itself returns 200 OK.
The risk is compounded by common development practices where emulator or test configurations use HTTP for convenience. If these settings leak into production code or environment variables, Axum routes may connect to Firestore over cleartext, bypassing expected protections. middleBrick’s checks for encryption and data exposure will highlight such misconfigurations, noting that sensitive operations like reading or writing documents occur without encryption in transit.
Additionally, Firestore security rules rely on authenticated identity, which can be compromised if tokens are exposed due to missing TLS. An attacker on the same network can capture these tokens and bypass intended rule restrictions, effectively escalating privileges. This scenario maps to common weaknesses in the OWASP API Top 10 and can align with findings related to insecure transport and improper authentication handling.
middleBrick’s encryption and data exposure checks specifically flag endpoints that do not enforce TLS when communicating with downstream services like Firestore. The scanner validates that requests to Firestore are initiated over HTTPS and that responses are inspected for signs of unencrypted transmission, ensuring that sensitive operations remain protected in transit.
Firestore-Specific Remediation in Axum — concrete code fixes
To secure Axum applications that interact with Firestore, enforce HTTPS for all Firestore client creation and ensure the runtime environment uses valid certificates. Below are concrete code examples demonstrating correct configurations.
First, initialize the Firestore client with explicit HTTPS settings using the official Google Cloud client library. The client must be configured to use secure endpoints, and emulator usage should be strictly limited to development with controlled network boundaries.
use google_cloud_rust::firestore::client::ClientConfig;
use google_cloud_auth::credentials::CredentialsFile;
use std::sync::Arc;
async fn create_firestore_client() -> Result<ClientConfig, Box<dyn std::error::Error>> {
let creds = CredentialsFile::new("path/to/service-account.json")
.await?;
let config = ClientConfig::new()
.with_auth(creds)
.with_host("https://firestore.googleapis.com")
.with_ssl(); // Enforces HTTPS/TLS
Ok(config)
}
Second, ensure that any HTTP client used by Axum for outgoing requests to Firestore or related services is configured to reject insecure connections. This can be done by setting reqwest::tls::Version::TLSv1_2 or higher and disabling insecure protocols.
use reqwest::Client;
use reqwest::tls::{Certificate, Version};
async fn secure_client() -> Client {
let cert = Certificate::from_pem(include_bytes!("/path/to/ca-cert.pem"))
.expect("valid cert");
Client::builder()
.add_root_certificate(cert)
.tls_version(Version::TLSv1_2)
.https_only(true)
.build()
.expect("client builder")
}
Third, validate environment variables and configuration files to prevent accidental HTTP fallbacks. Use runtime checks to confirm that the Firestore host begins with https:// and that no emulator overrides are active outside isolated test environments.
fn validate_firestore_host(host: &str) -> bool {
host.starts_with("https://firestore.googleapis.com")
}
let host = std::env::var("FIRESTORE_HOST").unwrap_or_else(|_| "https://firestore.googleapis.com".into());
if !validate_firestore_host(&host) {
panic!("Insecure Firestore host detected: {}");
}
Finally, integrate middleBrick into your workflow using the CLI or GitHub Action to continuously verify that your endpoints enforce TLS when communicating with Firestore. The scanner will flag missing encryption in transit and provide prioritized findings with remediation guidance, helping you maintain secure configurations as your Axum service evolves.
Related CWEs: encryption
| CWE ID | Name | Severity |
|---|---|---|
| CWE-319 | Cleartext Transmission of Sensitive Information | HIGH |
| CWE-295 | Improper Certificate Validation | HIGH |
| CWE-326 | Inadequate Encryption Strength | HIGH |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | HIGH |
| CWE-328 | Use of Weak Hash | HIGH |
| CWE-330 | Use of Insufficiently Random Values | HIGH |
| CWE-338 | Use of Cryptographically Weak PRNG | MEDIUM |
| CWE-693 | Protection Mechanism Failure | MEDIUM |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation | HIGH |
| CWE-261 | Weak Encoding for Password | HIGH |