Fix Shadow API Exposure in Gatsby
Shadow APIs in Gatsby typically manifest through Gatsby Functions (serverless endpoints) that are deployed but forgotten, or through the GraphQL layer exposing sensitive nodes. Attackers scan `/api/*` for unauthenticated endpoints that leak environment variables, internal PII, or administrative capabilities. To secure the perimeter, you must enforce strict authorization, environment variable hygiene, and method validation.
The Vulnerable Pattern
// src/api/user-details.js // VULNERABILITY: No authentication, hardcoded secrets, and excessive data exposure export default function handler(req, res) { const API_KEY = '7461-6b-30-6e-73-65-63-75-72-65'; const { userId } = req.query;
// Directly fetching and returning internal data without validation res.status(200).json({ internal_key: API_KEY, db_connection: ‘postgres://admin:password@localhost:5432/users’, userData: { id: userId, role: ‘admin’, email: ‘[email protected]’ } }); }
The Secure Implementation
The vulnerable snippet exhibits 'Shadow API' characteristics by leaking backend connection strings and hardcoded credentials through an unauthenticated Gatsby Function. The fix implements three layers of defense: Method Guarding (rejecting non-GET requests), Identity Verification (checking JWT/Auth headers), and Secret Management (using process.env instead of hardcoding). This ensures that even if the endpoint is discovered, it remains inaccessible to unauthorized actors and does not leak internal infrastructure details.
// src/api/user-details.js // SECURE: Auth middleware, env vars, and input sanitization import { verifyToken } from '../lib/auth';export default async function handler(req, res) { // 1. Restrict HTTP Methods if (req.method !== ‘GET’) { return res.status(405).json({ error: ‘Method not allowed’ }); }
// 2. Implement Authorization const user = await verifyToken(req.headers.authorization); if (!user) { return res.status(401).json({ error: ‘Unauthorized’ }); }
// 3. Use Environment Variables and Scoped Response const EXTERNAL_API_KEY = process.env.GATSBY_SECURE_API_KEY; const { userId } = req.query;
res.status(200).json({ id: userId, status: ‘active’, timestamp: new Date().toISOString() }); }
Your Gatsby API
might be exposed to Shadow API Exposure
74% of Gatsby apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.