Fix Shadow API Exposure in Feathers

FeathersJS's 'batteries-included' philosophy is a double-edged sword. By default, every service you register via app.use() is automatically exposed to the transport layer (REST/WebSockets). Shadow API exposure happens when developers assume internal-only methods or administrative services are protected by obscurity. If a service is registered and not explicitly hardened, an attacker can discover it through directory brute-forcing or documentation scraping and execute unauthorized operations.

The Vulnerable Pattern

const { Service } = require('feathers-memory');
module.exports = function (app) {
// VULNERABLE: Exposes all CRUD methods (find, get, create, update, patch, remove)
// to the public internet without any access control or transport filtering.
app.use(‘/admin-config’, new Service());
};

The Secure Implementation

To kill Shadow APIs in Feathers, you must adopt a 'Deny by Default' posture. First, use the 'disallow('external')' hook from feathers-hooks-common on any service method that should not be reachable via REST or WebSockets. This ensures the method remains functional for internal server-side calls but returns a 405 to attackers. Second, always use 'discard' or 'keep' hooks in the 'after' block to prune sensitive fields from the JSON response, preventing data over-exposure. Finally, if a service is purely for internal logic, do not register it with app.use() on the main application instance.

const { authenticate } = require('@feathersjs/authentication').hooks;
const { disallow, discard } = require('feathers-hooks-common');
module.exports = {
before: {
all: [authenticate(‘jwt’)],
// SECURE: Completely block external access to destructive methods
// These can still be called internally by the server logic.
create: [disallow(‘external’)],
update: [disallow(‘external’)],
patch: [disallow(‘external’)],
remove: [disallow(‘external’)]
},
after: {
all: [
// SECURE: Prevent internal metadata leakage in API responses
discard(‘internal_key’, ‘secret_hash’)
]
}
};