Fix Shadow API Exposure in CodeIgniter
Shadow APIs in CodeIgniter occur when developers rely on legacy auto-routing or fail to restrict access to internal controller methods, leaving undocumented endpoints exposed to discovery via fuzzing. In CI4, the 'Auto-Route' feature is a primary vector, mapping any public method in a controller to a URI, regardless of whether it was intended for production. This allows attackers to hit legacy debug functions or administrative hooks that were never meant to be public-facing.
The Vulnerable Pattern
// app/Config/Routes.php $routes->setAutoRoute(true); // CRITICAL: Allows any public method to be called via URI// app/Controllers/User.php class User extends BaseController { public function profile() { // Legitimate endpoint }
public function internal_debug_export() { // SHADOW ENDPOINT: Exposed because of Auto-Route $db = \Config\Database::connect(); return $this->response->setJSON($db->table('users')->get()->getResult()); }
}
The Secure Implementation
To kill Shadow APIs, you must enforce a 'Deny-by-Default' routing policy. First, disable `$routes->setAutoRoute(true)` in your configuration; this stops CI from automatically mapping URIs to class methods. Second, explicitly define every legitimate endpoint using strict HTTP verbs (GET, POST, etc.) and group them under authentication filters. Finally, ensure all internal or helper methods in controllers are declared as 'protected' or 'private' so they cannot be invoked as endpoints even if routing is misconfigured.
// app/Config/Routes.php $routes->setAutoRoute(false); // Force explicit route definitions// Define a strict allow-list of endpoints $routes->group(‘api/v1’, [‘filter’ => ‘api_auth’], function($routes) { $routes->get(‘user/profile’, ‘User::profile’); });
// app/Filters/ApiAuth.php // Ensure all API calls are authenticated to prevent unauthorized discovery public function before(RequestInterface $request, $arguments = null) { if (!$request->getHeaderLine(‘X-API-KEY’)) { return Services::response()->setStatusCode(401); } }
Your CodeIgniter API
might be exposed to Shadow API Exposure
74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.