Hasura GraphQL API without authentication
Description
The Hasura GraphQL API is accessible without authentication, allowing unauthorized users to interact with the API endpoints. This misconfiguration enables attackers to exploit the API's remote schema functionality to perform Server-Side Request Forgery (SSRF) attacks, where the server can be forced to make requests to arbitrary internal or external resources.
Remediation
Immediately restrict access to the Hasura GraphQL API by configuring an admin secret. Follow these steps:
1. Generate a strong admin secret:
Create a cryptographically secure random string to use as your admin secret.
2. Configure the admin secret:
Set the HASURA_GRAPHQL_ADMIN_SECRET environment variable when starting the Hasura GraphQL Engine:
HASURA_GRAPHQL_ADMIN_SECRET=your-strong-secret-key
3. Update client applications:
Ensure all legitimate API clients include the admin secret in their requests using the
x-hasura-admin-secret header:curl -H "x-hasura-admin-secret: your-strong-secret-key" https://your-hasura-instance.com/v1/graphql
4. Implement additional security measures:
• Use role-based access control (RBAC) to limit permissions for different users
• Enable HTTPS/TLS for all API communications
• Implement network-level restrictions (firewall rules, IP whitelisting) where appropriate
• Regularly rotate the admin secret
For detailed configuration examples, refer to the Hasura documentation on admin secrets and authentication.