Fix Improper Assets Management in Koa

Improper Assets Management in Koa is a high-risk misconfiguration that leads to Information Disclosure. When you fail to define strict boundaries for static file serving, you're effectively leaking your .env files, source code, and build metadata. In a hacker's eyes, an open project root is a goldmine for credentials and architectural intel.

The Vulnerable Pattern

const Koa = require('koa');
const serve = require('koa-static');
const app = new Koa();
// FAIL: Serving the current working directory exposes the entire project
// Attackers can fetch /.env, /package.json, or /.git/config
app.use(serve(’.’));
app.listen(3000, () => console.log(‘Vulnerable server on 3000’));

The Secure Implementation

The vulnerability occurs when the middleware root is set to a directory containing sensitive files (like the project root). To fix this: 1. Isolate public files into a dedicated subdirectory (e.g., /public). 2. Use 'path.join(__dirname, 'public')' to resolve absolute paths, preventing unexpected directory resolution. 3. Set 'hidden: false' in the koa-static options to ensure files starting with a dot (which often contain secrets) are never served. 4. Always use a whitelist approach—only serve what is strictly necessary for the client.

const Koa = require('koa');
const serve = require('koa-static');
const path = require('path');
const app = new Koa();
// SUCCESS: Isolate assets to a dedicated directory and disable hidden files
const publicDirectory = path.join(__dirname, ‘public’);
app.use(serve(publicDirectory, {
index: ‘index.html’,
hidden: false, // Explicitly block access to dotfiles (.env, .git, etc.)
defer: false,
setHeaders: (res) => {
res.setHeader(‘X-Content-Type-Options’, ‘nosniff’);
res.setHeader(‘Cache-Control’, ‘public, max-age=31536000’);
}
}));
app.listen(3000, () => console.log(‘Secure server on 3000’));