Issue
Security scans flag the /resources.zip file in a Mendix application as a security concern. The file is publicly accessible without authentication, which exposes application resources and internal information. This article addresses whether this is expected behaviour and describes how to properly restrict access to this file.
Environment
Studio Pro v9.24 and older
Cause
In Mendix 9 and older, the /resources.zip file is served publicly by default as part of the application's resource delivery mechanism. This is expected behaviour in the Mendix platform, as the file is intended to provide client-side resources for Hybrid applications. However, security assessments flag this as a vulnerability.
Solution/Workaround
To address this security concern, upgrade to the latest major version of Studio Pro. The /resources.zip file was removed in Mendix 10, thus upgrading to Mendix 10 or newer will immediately address this security finding.
If upgrading is not feasible in the short term, confirm that the /resources.zip file does not contain sensitive business logic or confidential data (by default, it contains only front-end resources such as styling and widget files). Thereafter, access to a Mendix application (and thus the static files) can be further restricted by setting up Access Restriction Profiles.
Internal information related
- 277792, 211848
Additional information
Mendix documentation: Access Restriction Profiles
0 Comments