Pii Leakage in Chi with Api Keys
Pii Leakage in Chi with Api Keys — how this specific combination creates or exposes the vulnerability
Pii Leakage in Chi with Api Keys occurs when API keys intended for service-to-service authentication are accidentally exposed in responses that also contain personally identifiable information. Chi, a functional programming language often used for building HTTP services, does not inherently enforce separation between authentication material and user data. If a developer writes route handlers that return both an API key (for downstream authorization) and user data in the same JSON payload, the key can be treated as a data field and returned to clients.
This typically happens when logging or debugging code is left in production, or when authorization middleware attaches the key to the request context and the handler serializes the entire context. For example, a Chi endpoint that retrieves a user profile might also pull an API key from a context value and embed it in the response. An attacker who gains access to the response can harvest the key and use it to escalate privileges or access other services, while the user’s PII (such as email or name) is simultaneously exposed, compounding the impact.
Chi applications that use middleware to inject API keys into request contexts are especially at risk if developers inadvertently serialize contexts or pass them to response builders. Because the API key is often a bearer token, its exposure can enable unauthorized access to downstream systems. When this key is leaked alongside Pii, the breach becomes multi-dimensional: credential compromise plus identity data. The scanner’s LLM/AI Security checks include output scanning for API keys and Pii, which helps detect such leakage in unauthenticated attack surfaces tested by middleBrick.
Additionally, improper error handling in Chi can contribute to Pii Leakage with Api Keys. If panics or invalid inputs cause the server to return stack traces or debug information, keys stored in variables might be included in logs or error responses. The combination of Chi’s pattern-matching style and verbose error messages can unintentionally surface keys in formats that are easily parsed by attackers. Regular scans with middleBrick’s authentication and data exposure checks can surface these issues before they reach production.
Api Keys-Specific Remediation in Chi — concrete code fixes
To remediate Pii Leakage in Chi with Api Keys, ensure API keys are never included in HTTP responses. Store keys in server-side contexts or secure vaults, and only use them to authorize outbound calls. In Chi, leverage the context package to pass keys as request-scoped values without exposing them to handlers that build responses.
Example of unsafe code that leaks an API key in a JSON response:
import "github.com/go-chi/chi/v5"
import "net/http"
func unsafeHandler(apiKey string) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
response := map[string]string{
"user_email": r.Context().Value("email").(string),
"api_key": apiKey,
}
json.NewEncoder(w).Encode(response)
}
}
In the example above, the API key is serialized directly into the JSON output, exposing both Pii (email) and credentials. An attacker who intercepts or gains application access can extract the key.
Secure alternative that keeps the API key server-side:
import "context"
import "github.com/go-chi/chi/v5"
import "net/http"
func secureHandler(ctx context.Context) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// Retrieve user data only
email := r.Context().Value("email").(string)
// Use the API key from context for outbound calls, do not return it
apiKey := ctx.Value("apiKey").(string)
_ = apiKey // Use apiKey to call downstream services securely
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"user_email": email,
})
}
}
In the secure handler, the API key is kept in a server-side context and never added to the HTTP response. The client only receives non-sensitive data. middleBrick’s CLI can be used to validate this remediation by running middlebrick scan <url> and verifying that no API keys appear in scan findings.
Additional remediation steps include sanitizing error messages in Chi by using structured error handlers that omit sensitive variables, and ensuring middleware does not attach API keys to request contexts that are serialized for logging or tracing. The GitHub Action can enforce these rules in CI/CD, failing builds if high-severity findings related to credential exposure are detected.
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |
Frequently Asked Questions
How can I test if my Chi API is leaking API keys alongside Pii?
middlebrick scan <your-endpoint>. The scan includes output scanning for API keys and Pii. If findings show both in the same response, remediate by removing the key from the response body and keeping it server-side.