GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in Fastify

Shadow APIs are the silent killers of modern infrastructure. In Fastify, these undocumented, unvalidated endpoints emerge when developers bypass schema definitions or fail to register routes within a centralized documentation framework. If an endpoint isn't defined by a schema and exposed via OpenAPI, it's a blind spot for your WAF and a playground for attackers.

The Vulnerable Pattern

const fastify = require('fastify')();

// VULNERABLE: No schema, no documentation, no output filtering.
// Attackers can fuzz parameters or receive sensitive internal DB fields.
fastify.get(‘/api/internal/user’, async (request, reply) => {
const user = await db.users.findOne({ id: request.query.id });
return user; // Leaks password hashes, internal IDs, and metadata
});


fastify.listen({ port: 3000 });

The Secure Implementation

To kill Shadow APIs in Fastify, you must enforce a 'Schema-First' architecture. First, use @fastify/swagger to automatically generate OpenAPI specs; if a route isn't in the docs, it shouldn't exist. Second, implement strict JSON Schema validation for both 'querystring' and 'body' to prevent parameter injection. Most importantly, define a 'response' schema. Fastify's internal serializer (fast-json-stringify) will automatically strip out any fields not explicitly defined in the schema, preventing accidental PII leakage from your database objects.

const fastify = require('fastify')({ logger: true });
const swagger = require('@fastify/swagger');
const swaggerUi = require('@fastify/swagger-ui');

// 1. Centralized Documentation
fastify.register(swagger);
fastify.register(swaggerUi, { routePrefix: ‘/docs’ });


// 2. Strict Schema Enforcement
const getUserSchema = {
schema: {
description: ‘Get user public profile’,
querystring: {
type: ‘object’,
required: [‘id’],
properties: { id: { type: ‘string’, pattern: ’^[0-9a-fA-F]{24}$’ } }
},
response: {
200: {
type: ‘object’,
properties: {
username: { type: ‘string’ },
email: { type: ‘string’, format: ‘email’ }
}
}
}
}
};


fastify.get(‘/api/user’, getUserSchema, async (request, reply) => {
const user = await db.users.findOne({ id: request.query.id });
return user; // Fastify now strips any field not in the 200 response schema
});

System Alert • ID: 5251
Target: Fastify API
Potential Vulnerability

Your Fastify API might be exposed to Shadow API Exposure

74% of Fastify apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X