42Crunch for CCPA data-handling audit

What middleBrick covers

Black-box scanning without agents or SDK integration.
Detection of PII patterns and API key leakage.
OpenAPI 3.x and Swagger 2.0 contract validation.
Authenticated scans with strict header allowlists.
Scheduled rescans and diff-based alerting.
Dashboard and compliance report exports.

Scope and limitations for CCPA data-handling audits

middleBrick is a black-box API security scanner designed to detect risks in request and response behavior. It maps findings to OWASP API Top 10 and supports audit evidence collection for data handling reviews aligned with CCPA data protection expectations. The scanner does not perform legal assessments or data inventory validation required for CCPA compliance; it surfaces technical findings relevant to data exposure and access controls.

Detection of data exposure and access control issues

The scanner identifies patterns that can indicate CCPA-relevant data exposure risks, including PII such as email addresses and context-aware Social Security Numbers, as well as API key formats that may appear in API traffic. It checks for over-exposure of internal fields and mass-assignment surfaces, and it validates the presence of security headers and HTTPS enforcement that support data protection in transit.

Data exposure patterns including email and card-like values with Luhn validation.
Over-exposed JSON fields and sensitive data in error messages.
Security headers, HTTPS redirect, and HSTS presence.

Authentication and authorization analysis

CCPA data-handling workflows often require strict access controls. The scanner tests authentication bypass methods, JWT misconfigurations, and authorization header handling. It probes for BOLA-style ID enumeration and privilege escalation attempts to highlight endpoints where data access is not properly restricted. Authorization is validated only when you provide credentials through the authenticated scanning flow, which requires domain verification.

OpenAPI contract validation and runtime alignment

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions to compare declared data handling paths and security schemes against runtime behavior. It detects undefined security schemes, deprecated operations, and missing pagination that can lead to excessive data exposure. Cross-referencing spec definitions with live responses helps identify mismatches that may affect CCPA data minimization and purpose limitation considerations.

const options = { method: 'GET', headers: { 'Authorization': 'Bearer ' } };
fetch('https://api.example.com/openapi.json').then(r => r.json()).then(spec => console.log(spec));

Operational characteristics and integration considerations

Scans complete in under a minute using read-only methods, which reduces operational friction in continuous validation workflows. The tool provides a web dashboard for tracking score trends and downloading compliance reports, a CLI for local runs, and a GitHub Action to gate CI/CD pipelines. Pro tier features include scheduled rescans and diff detection to highlight new data handling risks over time. Scan data is deletable on demand and is never used for model training.

Frequently Asked Questions

Can middleBrick certify CCPA compliance?

No. middleBrick is a scanning tool that detects technical risks and provides evidence; it does not certify compliance.

Does the scanner test for all CCPA data handling risks?

No. It focuses on technical indicators such as data exposure, authentication, and access control patterns; it does not cover business logic or legal data inventory processes.

Is authenticated scanning required for CCPA workflows?

Authenticated scanning is optional but recommended to validate protected endpoints; it requires domain verification and follows strict header allowlists.

Can findings be integrated into existing compliance workflows?

Yes. The dashboard provides trend tracking, downloadable reports, webhooks, and CI/CD integrations to support ongoing audit evidence collection.