42Crunch for Strapi

Strapi exposes a GraphQL endpoint and a REST API by default, each with its own set of authentication and authorization rules. The admin panel is typically isolated behind its own path and relies on session or JWT-based access control. Without deliberate hardening, public routes can leak schema details and expose administrative interfaces. A scanner that operates without code or agent access can validate these surfaces against common misconfigurations.

middleBrick maps findings to OWASP API Top 10 (2023) and supports validation of controls relevant to Strapi’s default authentication stack. It checks JWT configurations such as alg=none, weak shared secrets, expired tokens, and missing standard claims. The tool also evaluates security headers, WWW-Authenticate compliance, and whether access control mechanisms are bypassed via predictable parameter manipulation.

For Strapi, authenticated scanning with Bearer, API key, Basic auth, or Cookie credentials requires domain verification to ensure only the domain owner can scan with credentials. Only a limited set of headers is forwarded, and the admin panel is probed only when explicit credentials are provided.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. For Strapi, this enables cross-referencing the defined security schemes and paths against runtime behavior. The scanner flags undefined security schemes, sensitive field exposure in responses, deprecated operations, and missing pagination that can lead to rate limit bypass or data exhaustion.

When an OpenAPI spec is unavailable, black-box probes exercise the GraphQL and REST endpoints to infer effective schemas and detect deviations that could lead to over-exposure or authorization flaws.

Because Strapi encourages rapid prototyping, default settings can remain in production. middleBrick detects CORS wildcards, dangerous HTTP methods, and debug endpoints that should never be exposed. It identifies excessive data exposure in JSON responses, such as internal IDs, timestamps, and administrative flags that assist attackers in lateral movement.

The scanner also probes for Insecure Direct Object References (IDOR) by checking sequential IDs and adjacent resources. Property authorization issues are surfaced when internal fields or mass-assignment vectors appear in API responses without appropriate checks. These findings align with security controls described in PCI-DSS 4.0 and SOC 2 Type II.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection to highlight new findings, resolved issues, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can notify CI/CD pipelines or monitoring tools. The GitHub Action fails builds when scores drop below a defined threshold, providing a gate before deployment.

For teams using AI-assisted development, the MCP Server allows scans from coding assistants. The CLI supports JSON and text output for scripting, and branded compliance PDFs can be generated from the dashboard for audit evidence.