GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in ElysiaJS

Shadow APIs are the silent killers of modern microservices. In the context of ElysiaJS, shadow exposure occurs when developers leave 'temporary' debug routes, legacy endpoints, or undocumented internal tools active in production. If an endpoint isn't in your Swagger spec and guarded by strict schema validation, it's a liability. We're going to kill the shadows by enforcing visibility and strict structural integrity.

The Vulnerable Pattern

import { Elysia } from 'elysia';

const app = new Elysia()
// Standard endpoint
.get(‘/api/users’, () => ({ status: ‘success’ }))
// SHADOW API: Undocumented, no schema validation, potentially leaks env vars
.get(‘/debug/config’, () => process.env)
// SHADOW API: Legacy endpoint forgotten in codebase
.post(‘/internal/test-db’, ({ body }) => {
return { connected: true, input: body };
})
.listen(3000);

The Secure Implementation

To eliminate Shadow APIs, we implement a 'Visibility-First' strategy. First, we integrate @elysiajs/swagger to ensure all routes are discoverable and documented; if it's not in the docs, it shouldn't exist. Second, we use .guard() to wrap internal or sensitive routes, preventing unauthorized access to 'hidden' utility endpoints. Finally, we use Elysia's TypeBox integration (t.Object) to strictly define input/output schemas, preventing attackers from probing undocumented parameters in legacy routes.

import { Elysia, t } from 'elysia';
import { swagger } from '@elysiajs/swagger';

const app = new Elysia()
// 1. Force visibility: Every route must be in the OpenAPI spec
.use(swagger({
path: ‘/v1/docs’,
documentation: {
info: { title: ‘Production API’, version: ‘1.0.0’ }
}
}))
// 2. Explicit Grouping & Scoping
.group(‘/api/v1’, (app) => app
.get(‘/users’, () => ({ status: ‘success’ }), {
detail: { summary: ‘Fetch public users’ }
})
)
// 3. Guarding ‘Internal’ routes with Auth and strict Schemas
.guard({
beforeHandle: ({ set, headers }) => {
if (headers[‘x-service-key’] !== process.env.SERVICE_KEY) {
return (set.status = ‘Unauthorized’);
}
}
}, (app) => app
.get(‘/metrics’, () => ({ cpu: 0.5 }), {
response: t.Object({ cpu: t.Number() }),
detail: { summary: ‘Internal System Metrics’ }
})
)
.listen(3000);

System Alert • ID: 9543
Target: ElysiaJS API
Potential Vulnerability

Your ElysiaJS API might be exposed to Shadow API Exposure

74% of ElysiaJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X