Fix Shadow API Exposure in Polka
Shadow APIs are the silent killers of your attack surface. In Polka's minimalist architecture, it is dangerously easy to mount 'ghost' routes—like debug endpoints or legacy tests—that bypass your primary security middleware. If a route isn't explicitly mapped under your auth stack, it's a backdoor for attackers to exfiltrate system state or bypass business logic.
The Vulnerable Pattern
const polka = require('polka'); const app = polka();const authenticate = (req, res, next) => { const token = req.headers[‘authorization’]; if (token === ‘secret’) return next(); res.statusCode = 401; res.end(‘Unauthorized’); };
// VULNERABILITY: Middleware is scoped ONLY to /api app.use(‘/api’, authenticate);
app.get(‘/api/user’, (req, res) => res.end(‘Authorized access’));
// SHADOW API: This route is outside the /api scope. // It remains exposed to the public without any authentication. app.get(‘/debug/config’, (req, res) => { res.end(JSON.stringify(process.env)); });
app.listen(3000);
The Secure Implementation
The vulnerability stems from 'Partial Middleware Application'. By mounting the `authenticate` middleware on the `/api` prefix, any route defined outside that prefix (like `/debug/config`) is completely unprotected. To fix this: 1) Enforce security middleware globally at the root level. 2) Utilize nested Polka instances (sub-routers) to ensure all logic is encapsulated within protected namespaces. 3) Implement a final 'catch-all' handler to ensure that any unmapped or forgotten shadow routes return a 404 instead of default framework behavior.
const polka = require('polka'); const app = polka();const authenticate = (req, res, next) => { const token = req.headers[‘authorization’]; if (token === ‘secret’) return next(); res.statusCode = 401; res.end(‘Unauthorized’); };
// 1. GLOBAL ENFORCEMENT: Apply auth to the root app.use(authenticate);
// 2. NAMESPACING: Use sub-routers for versioning and clarity const v1 = polka() .get(‘/user’, (req, res) => res.end(‘Authorized access’));
app.use(‘/api/v1’, v1);
// 3. DEFAULT DENY: Catch-all for undocumented paths app.use((req, res) => { res.statusCode = 404; res.end(‘Endpoint Not Found’); });
app.listen(3000);
Your Polka API
might be exposed to Shadow API Exposure
74% of Polka apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.