Fix Shadow API Exposure in NestJS
Shadow APIs are the silent killers of enterprise security. In NestJS, they manifest as undocumented endpoints, legacy debug routes, or auto-generated controllers that bypass your security perimeter. If you can't see it, you can't secure it. Stop leaking PII through forgotten routes that lack guards, rate limiting, and logging.
The Vulnerable Pattern
@Controller('users') export class UsersController { @Get() findAll() { return 'Public data'; }
// SHADOW API: Undocumented, no guards, legacy debug route left in production @Get(‘debug-internal-state’) getInternalState() { return { status: ‘active’, env: process.env.NODE_ENV, db: ‘connected’ }; } }
The Secure Implementation
To kill Shadow APIs, you must flip the security model to 'Deny All' by default. First, implement a Global Guard in main.ts so every route requires authentication unless explicitly decorated with a @Public() metadata tag. Second, strictly enforce OpenAPI (Swagger) documentation; if it's not in the docs, it shouldn't exist. Third, use DTOs (Data Transfer Objects) with 'whitelist: true' and 'forbidNonWhitelisted: true' in your ValidationPipe to prevent mass assignment and unintended data exposure through hidden fields.
// 1. main.ts: Enforce 'Secure by Default' with Global Guards const reflector = app.get(Reflector); app.useGlobalGuards(new JwtAuthGuard(reflector));// 2. users.controller.ts: Explicit opt-in for public routes @ApiTags(‘users’) @Controller(‘users’) export class UsersController { @Public() // Custom decorator to bypass global auth @Get() findAll() { return ‘Public data’; }
@UseGuards(RolesGuard) @Roles(‘admin’) @Get(‘admin-stats’) @ApiOperation({ summary: ‘Documented admin-only route’ }) getStats() { return { stats: ‘secure’ }; }
// Debug route removed or restricted via environment checks }
Your NestJS API
might be exposed to Shadow API Exposure
74% of NestJS apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.