GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Security Misconfiguration
in ServiceStack

Executive Summary

ServiceStack's 'developer-friendly' defaults are a goldmine for reconnaissance. Out-of-the-box, it leaks API blueprints via the Metadata page and detailed stack traces through internal exception exposure. A hardened AppHost is the difference between a secure gateway and a transparent box.

The Vulnerable Pattern

VULNERABLE CODE
public class AppHost : AppHostBase {
    public AppHost() : base("InsecureAPI", typeof(MyServices).Assembly) {}
    public override void Configure(Container container) {
        // FATAL: DebugMode enables stack traces and dev tools in prod
        // FATAL: ReturnsInnerException leaks database/logic internals
        SetConfig(new HostConfig {
            DebugMode = true,
            ReturnsInnerException = true,
            EnableFeatures = Feature.All // Includes Metadata, CSV, JSV, etc.
        });
    }
}

The Secure Implementation

The fix implements environment-aware hardening. By explicitly disabling 'DebugMode' and 'ReturnsInnerException' in production, you prevent 'Information Exposure through Error Messages' (CWE-209). Removing 'Feature.Metadata' from 'EnableFeatures' kills the /metadata endpoint, stopping attackers from automatically mapping your entire DTO structure and attack surface. The addition of global response filters ensures basic HTTP security headers are enforced across all ServiceStack endpoints.

SECURE CODE
public class AppHost : AppHostBase {
    public AppHost() : base("HardenedAPI", typeof(MyServices).Assembly) {}
    public override void Configure(Container container) {
        var isProd = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") == "Production";

    SetConfig(new HostConfig {
        DebugMode = !isProd,
        ReturnsInnerException = !isProd,
        // Disable Metadata page and sensitive formats in production
        EnableFeatures = isProd 
            ? Feature.All.Remove(Feature.Metadata | Feature.Html | Feature.Csv)
            : Feature.All,
        // Prevent version disclosure
        WriteErrorsToResponse = !isProd
    });

    // Enforce secure headers globally
    this.GlobalResponseFilters.Add((req, res, dto) => {
        res.AddHeader("X-Content-Type-Options", "nosniff");
        res.AddHeader("X-Frame-Options", "DENY");
    });
}


}

System Alert • ID: 8935
Target: ServiceStack API
Potential Vulnerability

Your ServiceStack API might be exposed to Security Misconfiguration

74% of ServiceStack apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X