Fix Improper Assets Management in Helidon

Improper Assets Management in Helidon manifests as shadow APIs and exposed internal endpoints. Attackers leverage unauthenticated /health, /metrics, or misconfigured static content handlers to map your internal architecture and leak environment metadata. If you aren't explicitly hardening your asset routing, you're leaking your attack surface.

The Vulnerable Pattern

Routing.builder()
    .register("/", StaticContentSupport.create(Paths.get("/"))) // CRITICAL: Exposes root filesystem
    .register(HealthSupport.builder().build()) // UNSECURED: Leaks system health and dependencies
    .register(MetricsSupport.create()) // UNSECURED: Leaks performance data and internal naming
    .build();

The Secure Implementation

The exploit vector relies on broad path mapping and default-open management routes. To remediate: 1. Isolate static assets to a dedicated sub-directory using 'StaticContentSupport.builder()'. 2. Implement Helidon's SecurityHandler to wrap sensitive endpoints with RBAC or Basic Auth. 3. Use 'webContext' to move management tools (Metrics/Health) off the root path and onto internal-only listeners or obfuscated paths. 4. Never map the root filesystem to a web-accessible route.

Routing.builder()
    .register("/static", StaticContentSupport.builder("web-assets") // Restricted to specific subdir
        .welcomeFile("index.html")
        .build())
    .register("/mgmt", SecurityHandler.create(), // Enforce authentication for management assets
        HealthSupport.builder()
            .addCheck(HealthChecks.deadlockCheck())
            .build())
    .register(MetricsSupport.builder()
        .webContext("/internal/metrics") // Isolate and obfuscate the context
        .build())
    .build();