Fix Improper Assets Management in NestJS
Improper Assets Management (OWASP A09:2021) is the silent killer of enterprise apps. In NestJS, this typically manifests as 'Shadow APIs'—deprecated endpoints, debug routes, or Swagger documentation exposed in production. Attackers use these forgotten assets to map your internal schema, find unpatched logic, or bypass standard security controls. If you aren't explicitly managing your API lifecycle and environment-specific assets, you're handing the blueprint of your house to the burglar.
The Vulnerable Pattern
import { NestFactory } from '@nestjs/core'; import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger'; import { AppModule } from './app.module';async function bootstrap() { const app = await NestFactory.create(AppModule);
// VULNERABILITY: Swagger UI and internal documentation // are exposed in all environments, including production. const config = new DocumentBuilder() .setTitle(‘Core Internal API’) .setVersion(‘1.0’) .build(); const document = SwaggerModule.createDocument(app, config); SwaggerModule.setup(‘api/docs’, app, document);
// VULNERABILITY: No API versioning. Old, insecure routes // might persist alongside new ones indefinitely. await app.listen(3000); } bootstrap();
The Secure Implementation
To secure NestJS assets, you must implement Environment Isolation and Lifecycle Management. First, use the ConfigService to ensure that Swagger/OpenAPI documentation is only initialized in non-production environments; this prevents schema leakage and information gathering. Second, use 'app.enableVersioning()' to force a structured API lifecycle. This prevents 'Zombie APIs'—old endpoints that remain active but unmaintained. Finally, always audit your main.ts to ensure debug middleware or internal-only routes are not reachable from the public internet.
import { NestFactory } from '@nestjs/core'; import { SwaggerModule, DocumentBuilder } from '@nestjs/swagger'; import { ConfigService } from '@nestjs/config'; import { VersioningType } from '@nestjs/common'; import { AppModule } from './app.module';async function bootstrap() { const app = await NestFactory.create(AppModule); const configService = app.get(ConfigService); const nodeEnv = configService.get(‘NODE_ENV’);
// FIX 1: Explicit API Versioning to manage lifecycle and deprecate assets app.enableVersioning({ type: VersioningType.URI, defaultVersion: ‘1’, });
// FIX 2: Environment-gated documentation. Disable in Production. if (nodeEnv !== ‘production’) { const config = new DocumentBuilder() .setTitle(‘Developer API’) .addBearerAuth() .build(); const document = SwaggerModule.createDocument(app, config); SwaggerModule.setup(‘api/docs’, app, document); }
await app.listen(3000); } bootstrap();
Your NestJS API
might be exposed to Improper Assets Management
74% of NestJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.