Shadow APIs in CherryPy typically arise from the framework's 'exposed' attribute pattern and its hierarchical tree-based dispatching. When developers inadvertently mark internal methods as exposed or fail to restrict HTTP verbs, they create undocumented attack surfaces. This guide focuses on neutralizing these hidden endpoints by enforcing strict dispatching and explicit method whitelisting.

The Vulnerable Pattern

import cherrypy
class ShadowAPI(object):
@cherrypy.expose
def index(self):
return “Public API v1”
@cherrypy.expose
def internal_debug_status(self):
    # SHADOW ENDPOINT: Exposed but undocumented
    return {"db_creds": "admin:password123", "status": "leaking"}
if name == ‘main’:
cherrypy.quickstart(ShadowAPI())

The Secure Implementation

To kill Shadow APIs in CherryPy, you must transition from 'Discovery-based' routing to 'Explicit' routing. 1. Remove the @cherrypy.expose decorator from any method not intended for public consumption. 2. Implement 'cherrypy.tools.allow' to strictly enforce HTTP verbs (GET, POST, etc.), preventing attackers from probing endpoints with unexpected methods. 3. Use 'cherrypy.dispatch.MethodDispatcher()' in your configuration; this forces the engine to map requests directly to HTTP-named methods (def GET, def POST) rather than any attribute with an 'exposed' flag, effectively neutralizing accidental exposure of helper functions.

import cherrypy
class ValidatedAPI(object):
# Explicitly define allowed methods
_cp_config = {
‘tools.allow.on’: True,
‘tools.allow.methods’: [‘GET’]
}
@cherrypy.expose
@cherrypy.tools.json_out()
def index(self):
    return {"status": "secure"}

def internal_logic(self):
    # NO @cherrypy.expose - This cannot be reached via URL
    return "Private"
Using MethodDispatcher to prevent unintended tree traversal
if name == ‘main’:
conf = {
’/’: {
‘request.dispatch’: cherrypy.dispatch.MethodDispatcher(),
‘tools.sessions.on’: True,
}
}
# Note: MethodDispatcher expects classes with GET/POST/PUT methods
cherrypy.quickstart(ValidatedAPI(), ’/’, conf)