42Crunch for Chi

middleBrick is a self-service API security scanner designed to assess public-facing endpoints used by Chi applications. You submit a URL, and the service returns a risk score from A to F along with prioritized findings. The scanner operates as a black-box solution, requiring no agents, SDKs, or access to your source code or framework internals. It supports any language and framework, including Chi, and completes a scan in under one minute using read-only methods plus text-only POST for LLM probes.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023), which maps findings to common risks in API-driven architectures like those built with Chi. Detection includes authentication bypass attempts and JWT misconfigurations, such as alg=none or expired tokens, which can appear when security middleware is misconfigured. It checks BOLA and IDOR through sequential ID enumeration and active adjacent-ID probing, relevant if your Chi routes expose predictable identifiers. The scanner also probes for BFLA and privilege escalation by testing admin endpoints and inspecting role or permission fields for leakage, as well as Property Authorization issues like over-exposed internal fields that violate least-privilege principles.

• Input Validation checks for CORS wildcard usage, dangerous HTTP methods, and debug endpoints that could affect Chi router behavior.
• Rate Limiting & Resource Consumption evaluates rate-limit headers and oversized responses, which are important when using Chi with high-throughput routes.
• Data Detection includes PII patterns and API key formats, helping you understand exposure risks around sensitive payloads handled by Chi handlers.
• Encryption checks HTTPS redirects, HSTS, and cookie flags, which are relevant when securing HTTP to HTTPS transitions in Chi.
• SSRF detection targets URL-accepting parameters and body fields, including active probes for internal IP bypass, which is useful if your Chi service calls external services.
• LLM / AI Security includes 18 adversarial probes across Quick, Standard, and Deep tiers, focused on prompt extraction, jailbreak techniques, and data exfiltration scenarios that could target AI-assisted endpoints.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, then cross-references the spec against runtime findings. This process highlights undefined security schemes, sensitive fields exposed by default, deprecated operations, and missing pagination that could lead to over-fetching in Chi-based services. By comparing the declared contract with actual behavior, the scanner surfaces gaps between your documented API and the implemented routes, without requiring access to Chi source code.

For authenticated scans at the Starter tier and above, the scanner supports Bearer tokens, API keys, Basic auth, and Cookies. Before running authenticated tests, a domain verification gate checks a DNS TXT record or an HTTP well-known file to ensure only the domain owner can submit credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety mechanisms include read-only methods only, blocking of private IPs, localhost, and cloud metadata endpoints at multiple layers, and a policy of deleting customer data on demand within 30 days of cancellation.

The scanner integrates into different stages of your workflow. The Web Dashboard provides scan history, score trends, and downloadable compliance PDFs. The CLI, available as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants like Claude or Cursor. For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new or resolved findings and email alerts rate-limited to one per hour per API. HMAC-SHA256 signed webhooks are supported, with auto-disable after five consecutive failures.