GuardAPI Logo
GuardAPI
Automated Security Protocol

How to fix Shadow API Exposure
in Phoenix

Executive Summary

Shadow APIs in Phoenix occur when undocumented or 'internal-only' routes bypass security pipelines, often due to developer oversight or legacy scaffolding. These endpoints operate in the dark, lacking authentication, rate limiting, and logging, providing a stealthy path for data exfiltration.

The Vulnerable Pattern

VULNERABLE CODE
defmodule MyAppWeb.Router do
  use MyAppWeb, :router

Vulnerable: This scope bypasses the :api pipeline entirely


No authentication, no CSRF protection, no telemetry.


scope “/debug” do
get “/dump_users”, MyAppWeb.DebugController, :index
end


pipeline :api do
plug :accepts, [“json”]
plug MyAppWeb.Plugs.Authenticate
end


scope “/api”, MyAppWeb do
pipe_through :api
resources “/orders”, OrderController
end
end

The Secure Implementation

To eliminate Shadow APIs, enforce a 'Secure by Default' routing architecture. First, ensure every scope uses 'pipe_through' with an authentication plug. Avoid top-level scopes that bypass standard pipelines. Second, use 'mix phx.routes' in your CI/CD pipeline to audit the attack surface and ensure no unauthorized endpoints exist. Third, implement Phoenix Telemetry to monitor traffic to all routes; any high-traffic endpoint not accounted for in your OpenAPI/Swagger documentation is a shadow candidate that must be secured or removed.

SECURE CODE
defmodule MyAppWeb.Router do
  use MyAppWeb, :router

pipeline :api do
plug :accepts, [“json”]
plug MyAppWeb.Plugs.Authenticate
end


pipeline :admin_only do
plug MyAppWeb.Plugs.RequireRole, :admin
end


Secure: Every route is explicitly piped through security logic


scope “/api”, MyAppWeb do
pipe_through :api


scope "/internal" do
  pipe_through :admin_only
  get "/system_health", DebugController, :index
end

resources "/orders", OrderController


end
end

System Alert • ID: 3331
Target: Phoenix API
Potential Vulnerability

Your Phoenix API might be exposed to Shadow API Exposure

74% of Phoenix apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X