Fix Shadow API Exposure in Hanami

Shadow APIs are the silent killers of perimeter security. In Hanami, these manifest when developers rely on implicit routing, permissive wildcards, or legacy internal namespaces that remain reachable in production. An attacker probes for these 'ghost' endpoints to bypass WAFs or hit unmonitored business logic. Hardening Hanami requires a shift from 'convention over configuration' to 'explicit deny' routing.

The Vulnerable Pattern

Hanami.application.routes do
  # DANGEROUS: Permissive wildcard routing allows attackers to probe internal logic
  get '/debug/*path', to: 'debug#handler'
DANGEROUS: Mounting an entire engine/namespace without explicit endpoint control
mount Internal::LegacyAPI, at: ‘/internal’
DANGEROUS: Lack of versioning makes it easy to leave ‘shadow’ v1 endpoints active
get ‘/users’, to: ‘users.index’
end

The Secure Implementation

To kill Shadow APIs in Hanami: 1. Eliminate Wildcards: Never use splat (*) routes for internal handlers; they are entry points for path traversal and discovery. 2. Explicit Namespacing: Use Hanami's scope and namespace features to force versioning (v1, v2), ensuring old endpoints are deprecated and removed rather than left as 'shadow' targets. 3. Contract-First Actions: Use Hanami::Action's built-in 'params' validation (dry-validation) to ensure that even if an endpoint is discovered, it rejects any input not matching a strict schema. 4. Route Auditing: Integrate 'bundle exec hanami routes' into your CI/CD pipeline to verify the attack surface against a known-good manifest before deployment.

Hanami.application.routes do
  # SECURE: Explicitly defined, versioned routes with constraints
  scope 'api/v2' do
    get '/users', to: 'api.v2.users.index', constraints: { format: :json }
  end
SECURE: Protect internal tools with robust authentication guards
authenticate :admin_user do
mount Sidekiq::Web => ‘/sidekiq’
end
end
Action level: Strict parameter validation to prevent probing
module API::V2::Users
class Index < Hanami::Action
params do
required(:account_id).filled(:string)
end
def handle(req, res)
  # Logic restricted to validated schema
end
end
end

System Alert • ID: 4518

Target: Hanami API

Potential Vulnerability

Your Hanami API
might be exposed to Shadow API Exposure

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC

GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X

The Vulnerable Pattern

DANGEROUS: Mounting an entire engine/namespace without explicit endpoint control

DANGEROUS: Lack of versioning makes it easy to leave ‘shadow’ v1 endpoints active

The Secure Implementation

SECURE: Protect internal tools with robust authentication guards

Action level: Strict parameter validation to prevent probing

Your Hanami API might be exposed to Shadow API Exposure

Verified by Ghost Labs Security Team

Your Hanami API
might be exposed to Shadow API Exposure