Missing Tls in Gin with Firestore
Missing Tls in Gin with Firestore — how this specific combination creates or exposes the vulnerability
When a Gin-based service communicates with Google Cloud Firestore without Transport Layer Security (TLS), credentials and data are exposed in transit. Firestore requires TLS for all REST and gRPC calls; without it, session tokens, IAM keys, and query parameters can be intercepted on the network path between the Gin application and Firestore endpoints.
In a Gin application, HTTP clients are often configured to call Firestore through the Google APIs REST endpoint (e.g., https://firestore.googleapis.com/v1/projects/{project}/databases/(default)/documents). If the client is configured to use http:// instead of https://, or if TLS verification is disabled to bypass certificate errors, the channel is unencrypted. This misconfiguration is especially risky in distributed environments where traffic traverses internal networks that are not fully isolated.
Because Firestore operations often include sensitive document content and IAM-bound metadata, missing TLS can lead to exposure of PII, business logic details, and token material that enables further compromise. MiddleBrick’s scans detect unencrypted connections to Firestore as a high-severity finding, highlighting both the lack of encryption in transit and the absence of enforced certificate validation in the Gin service code.
During an active scan, middleware that intercepts traffic or a malicious insider on the same network can observe request and response payloads. For example, an attacker who compromises DNS or routing can redirect plaintext HTTP calls to a rogue endpoint, capturing authentication tokens embedded in Firestore REST requests. The absence of TLS also prevents server-side certificate pinning, making the Gin app vulnerable to man-in-the-middle attacks even in seemingly trusted environments.
Compliance frameworks such as OWASP API Top 10 (2023) — specifically Security Misconfiguration and Insufficient Transport Layer Protection — explicitly flag missing TLS as a critical risk. PCI-DSS and SOC 2 similarly require encryption in transit for any cardholder or sensitive data, which Firestore commonly stores. The combination of Gin, Firestore, and missing TLS therefore represents a high-impact vector where detection by a scanner like MiddleBrick leads directly to prioritized remediation.
Firestore-Specific Remediation in Gin — concrete code fixes
Remediation centers on enforcing HTTPS with strict certificate validation for all Firestore calls from your Gin service. Avoid disabling TLS verification or using HTTP endpoints, even in development. Use the official Google client libraries which enforce TLS by default, and ensure your HTTP client configuration in Gin does not override these protections.
Example: secure Firestore client initialization in Go using the official Google Cloud SDK, called from a Gin handler. This code ensures TLS is used and server certificate validation is enforced.
import (
"context"
"log"
"net/http"
"cloud.google.com/go/firestore"
"github.com/gin-gonic/gin"
"google.golang.org/api/option"
)
func NewFirestoreClient(ctx context.Context) (*firestore.Client, error) {
// Uses Application Default Credentials with enforced TLS.
// Ensure your environment provides credentials securely.
client, err := firestore.NewClient(ctx, "your-project-id", option.WithCredentialsFile("path/to/service-account.json"))
if err != nil {
return nil, err
}
return client, nil
}
func GetDocument(c *gin.Context) {
ctx := c.Request.Context()
client, err := NewFirestoreClient(ctx)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create client"})
return
}
defer client.Close()
doc, err := client.Collection("items").Doc("abc123").Get(ctx)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to fetch document"})
return
}
c.JSON(http.StatusOK, doc.Data())
}
func CreateDocument(c *gin.Context) {
var input map[string]interface{}
if err := c.BindJSON(&input); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid payload"})
return
}
ctx := c.Request.Context()
client, err := NewFirestoreClient(ctx)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create client"})
return
}
defer client.Close()
_, _, err = client.Collection("items").Add(ctx, input)
if err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to create document"})
return
}
c.JSON(http.StatusCreated, gin.H{"status": "created"})
}
If you use a custom HTTP transport for performance or proxy reasons, preserve TLS integrity by retaining the system root CAs and avoiding InsecureSkipVerify. Example of a safe custom transport in Gin middleware:
import (
"crypto/tls"
"net/http"
)
func SecureTransport() *http.Transport {
return &http.Transport{
TLSClientConfig: &tls.Config{
MinVersion: tls.VersionTLS12,
// InsecureSkipVerify must remain false.
},
}
}
// Use this transport when constructing a custom client if needed.
// Do not set InsecureSkipVerify under any circumstances.
For applications that must call Firestore through intermediaries (e.g., internal proxies), ensure the proxy terminates TLS with a valid certificate and that the Gin client trusts the proxy’s CA. MiddleBrick’s scans will flag any HTTP calls to Firestore or missing certificate validation as high-risk, enabling teams to align with OWASP API Top 10 and compliance requirements.
Related CWEs: encryption
| CWE ID | Name | Severity |
|---|---|---|
| CWE-319 | Cleartext Transmission of Sensitive Information | HIGH |
| CWE-295 | Improper Certificate Validation | HIGH |
| CWE-326 | Inadequate Encryption Strength | HIGH |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | HIGH |
| CWE-328 | Use of Weak Hash | HIGH |
| CWE-330 | Use of Insufficiently Random Values | HIGH |
| CWE-338 | Use of Cryptographically Weak PRNG | MEDIUM |
| CWE-693 | Protection Mechanism Failure | MEDIUM |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation | HIGH |
| CWE-261 | Weak Encoding for Password | HIGH |