Fix Improper Assets Management in Vert.x

Vert.x is built for performance, but its StaticHandler is a common vector for information disclosure if misconfigured. Improper assets management occurs when developers map the root directory or sensitive subdirectories to the public router, allowing attackers to leak .env files, git metadata, or internal build artifacts via path traversal and directory sniffing.

The Vulnerable Pattern

Router router = Router.router(vertx);
// VULNERABLE: Serves files from the default 'webroot' which might contain sensitive files
// or fails to restrict directory listing and hidden files.
router.route("/static/*").handler(StaticHandler.create());

The Secure Implementation

To fix improper asset management, you must enforce the principle of least privilege on the filesystem. By setting the root to a specific 'public' folder rather than the generic project root, you create a chroot-like boundary. Disabling 'Directory Listing' prevents attackers from mapping your file structure, and 'setIncludeHidden(false)' ensures that sensitive configuration files starting with dots remain unreachable. Always serve static assets from a dedicated, isolated directory.

Router router = Router.router(vertx);
// SECURE: Explicitly define a restricted subdirectory, disable directory listing,
// and block access to hidden files (like .git or .env).
router.route("/static/*").handler(StaticHandler.create("webroot/public")
    .setDirectoryListing(false)
    .setIncludeHidden(false)
    .setAllowRootFolderAccess(false)
    .setFilesReadOnly(true)
);