Security Misconfiguration in Adonisjs

Security misconfiguration in Adonisjs often stems from default settings that expose sensitive information or create attack vectors. The framework's flexibility, while powerful, can lead to dangerous defaults if not properly secured.

One common manifestation is improper CORS configuration. Adonisjs's CORS middleware defaults to allowing all origins when using cors: true in config/cors.js. This opens your API to cross-origin requests from any domain, potentially exposing sensitive endpoints to malicious websites.

// Dangerous default - allows ANY origin
export const cors = {
  origin: true, // This allows all origins!
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  credentials: true
}

Another frequent issue is verbose error handling. Adonisjs's development environment displays detailed stack traces and exception information by default. When deployed to production without proper configuration, these error pages can reveal database schemas, file paths, and internal logic that attackers can exploit.

// config/app.js
export const http = {
  // Dangerous in production - shows full stack traces
  debug: true,
  // Should be set to 'production' in production
  environment: Env.get('NODE_ENV', 'development')
}

Session security misconfiguration is particularly problematic in Adonisjs applications. The default session configuration may use weak secrets or allow insecure cookie settings that expose session data to interception.

// config/session.js - common misconfigurations
export const session = {
  secret: Env.get('SESSION_SECRET', 'your-default-secret-here'), // Weak default!
  cookie: {
    httpOnly: true,
    // Missing secure: true means cookies sent over HTTP
    // Missing sameSite: 'strict' allows CSRF
  }
}

Middleware ordering represents another critical security misconfiguration point. Adonisjs executes middleware in the order they're defined, and incorrect ordering can bypass security controls entirely.

// Start/routes.ts - dangerous middleware ordering
Route
  .get('/admin', 'AdminController.dashboard')
  .middleware('auth') // Authentication AFTER route definition
  .middleware('acl:admin') // ACL check without authentication first

Directory traversal vulnerabilities can occur when Adonisjs's static file serving is misconfigured, allowing attackers to access files outside the intended directory.

// config/static.js - dangerous configuration
export const static = {
  enabled: true,
  // Missing path restriction allows directory traversal
  etag: true,
  maxAge: '1d'
}

Detecting security misconfigurations in Adonisjs requires both manual code review and automated scanning. The framework's configuration-driven architecture means vulnerabilities often hide in plain sight within config files.

middleBrick's black-box scanning approach is particularly effective for Adonisjs applications. The scanner tests unauthenticated endpoints and examines exposed configuration without requiring access credentials. For Adonisjs specifically, middleBrick checks for:

• CORS misconfigurations that allow unauthorized cross-origin requests
• Verbose error responses that leak internal implementation details
• Insecure session cookie settings (missing secure, sameSite attributes)
• Default secrets and weak cryptographic configurations
• Exposed administrative endpoints without proper authentication

The scanning process takes 5-15 seconds and provides a security risk score with specific findings mapped to OWASP API Top 10 categories. For Adonisjs applications, the scanner particularly focuses on middleware ordering issues and configuration exposure.

# Using middleBrick CLI to scan an Adonisjs API
$ npm install -g middlebrick
$ middlebrick scan https://api.yourservice.com

# Output includes:
# - Security risk score (A-F)
# - Specific misconfigurations found
# - Severity levels and remediation guidance
# - OpenAPI spec analysis if available

Manual detection should focus on Adonisjs's configuration files. The framework stores most security-relevant settings in the config/ directory, making systematic review straightforward.

# Key files to audit in Adonisjs
config/
├── app.js          # Debug mode, environment settings
├── cors.js         # Cross-origin resource sharing
├── session.js      # Session security
├── encryption.js   # Data encryption settings
├── auth.js         # Authentication configuration
└── static.js       # Static file serving

Adonisjs's middleware system requires special attention during detection. The order of middleware registration can create security gaps that aren't apparent from individual middleware configurations.

// start/kernel.ts - audit middleware order
const globalMiddleware = [
  // Dangerous order - body parser before auth allows unauthenticated file uploads
  'Adonis/Middleware/BodyParser',
  'Adonis/Middleware/Auth',
  'Adonis/Middleware/Cors'
]

Remediating security misconfigurations in Adonisjs requires leveraging the framework's built-in security features while following security best practices. The framework provides native tools for most common security controls.

Start with CORS configuration. Instead of allowing all origins, specify exact domains and use appropriate settings for your application's needs.

// config/cors.js - secure configuration
export const cors = {
  origin: [
    'https://yourdomain.com',
    'https://yourapp.com'
  ],
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  credentials: true,
  maxAge: 2700
}

Session security requires strong secrets and proper cookie settings. Use environment variables for secrets and ensure cookies are protected against common attacks.

// config/session.js - secure configuration
export const session = {
  secret: Env.get('SESSION_SECRET'), // Always use environment variable
  cookie: {
    httpOnly: true,
    secure: true, // Only send over HTTPS
    sameSite: 'strict', // Prevent CSRF
    maxAge: 24 * 60 * 60 * 1000 // 24 hours
  },
  age: 24 * 60 * 60 // Session expiration
}

Middleware ordering is critical for security. Always place authentication and authorization middleware before business logic middleware.

// start/routes.ts - correct middleware ordering
Route
  .group(() => {
    Route.get('/admin', 'AdminController.dashboard')
    Route.post('/admin/users', 'AdminController.createUser')
  })
  .middleware(['auth', 'acl:admin']) // Auth before ACL

Adonisjs's encryption utilities provide secure data protection. Use the framework's built-in encryption rather than implementing custom solutions.

// Use Adonisjs's secure encryption
import Encryption from '@ioc:Adonis/Core/Encryption'

// Encrypt sensitive data
const encrypted = Encryption.encrypt('sensitive-data-123')

// Decrypt with verification
const decrypted = Encryption.decrypt(encrypted)
// Throws exception if data tampered with

Error handling should never expose internal details in production. Adonisjs allows different configurations per environment.

// config/app.js - environment-specific error handling
export const http = {
  debug: Env.get('NODE_ENV') === 'development',
  environment: Env.get('NODE_ENV', 'development')
}

// start/error.ts - custom error handler
export class ErrorHandler {
  public async handle(error, { response }) {
    if (Env.get('NODE_ENV') === 'production') {
      return response
        .status(error.status || 500)
        .json({
          message: error.message || 'Internal server error',
          code: error.code || 'E_INTERNAL_ERROR'
        })
    }
    
    // Development - show detailed errors
    return response.internal(error)
  }
}

Static file serving should be restricted to specific directories with proper access controls.

// config/static.js - secure static file serving
export const static = {
  enabled: true,
  etag: true,
  maxAge: '1d',
  // Only serve from specific directory
  path: Application.publicPath('uploads'),
  // Optionally disable entirely if not needed
  enabled: false
}