Fix Security Misconfiguration in Quarkus
Quarkus is built for 'Developer Joy,' but that joy often results in leaking internal state or exposing sensitive endpoints if the defaults aren't overridden for production. Misconfigurations in the application.properties file—such as leaving Swagger-UI active in prod, wildcard CORS, or disabled proactive security—are low-hanging fruit for any script kiddie or sophisticated actor looking to map your attack surface.
The Vulnerable Pattern
# application.properties - PRODUCTION LEAKS # Exposing API documentation to the public internet quarkus.swagger-ui.always-include=trueWildcard CORS: Inviting Cross-Site Request Forgery and data theft
quarkus.http.cors=true quarkus.http.cors.origins=*
Disabling proactive security allows unauthorized requests to reach resource methods
quarkus.security.proactive=false
Management interface exposed without authentication
quarkus.management.enabled=true quarkus.management.auth.enabled=false
The Secure Implementation
The vulnerable configuration creates several critical vectors: 'always-include=true' leaks your entire API schema to attackers, facilitating automated exploit discovery. Wildcard CORS origins allow malicious third-party sites to bridge the trust between a user's browser and your API. The fix involves: 1) Restricting UI tools to dev-mode only. 2) Implementing a strict Origin allowlist. 3) Enabling proactive security to ensure the security identity is established before any business logic is executed. 4) Manually injecting security headers that Quarkus doesn't set by default to mitigate XSS and Clickjacking.
# application.properties - HARDENED CONFIG # 1. Disable Swagger/Dev UI in production (default behavior is safer) quarkus.swagger-ui.always-include=false2. Strict CORS policy: Whitelist specific, trusted domains only
quarkus.http.cors=true quarkus.http.cors.origins=https://app.secure-domain.com quarkus.http.cors.methods=GET,POST
3. Enable Proactive Auth: Block unauthenticated requests early in the chain
quarkus.security.proactive=true
4. Secure HTTP Headers
quarkus.http.header.”X-Content-Type-Options”.value=nosniff quarkus.http.header.”X-Frame-Options”.value=DENY quarkus.http.header.”Content-Security-Policy”.value=default-src ‘self’
5. Protect the Management Interface
quarkus.management.auth.enabled=true
Your Quarkus API
might be exposed to Security Misconfiguration
74% of Quarkus apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.