Alternatives to APIsec on AdonisJS

When developing with AdonisJS, API security begins with understanding how your endpoints behave in production. This scanner performs black-box testing, requiring only a reachable URL. It does not need source code, an SDK, or build artifacts. Submit an API endpoint, receive a letter grade from A to F, and a prioritized list of findings mapped to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

The scanner evaluates endpoints regardless of framework, which is valuable for AdonisJS because route definitions and route groupings can inadvertently change security assumptions. Detection categories include Authentication bypass and JWT misconfigurations such as alg=none, weak shared secrets, expired tokens, and sensitive data in claims. It also checks for BOLA and IDOR via sequential ID enumeration and adjacent ID probing, as well as BFLA and privilege escalation through admin endpoint probing and role/permission field leakage.

• Property over-exposure and internal field leakage, including mass-assignment surface.
• Input validation issues such as CORS wildcard usage, dangerous HTTP methods, and debug endpoints.
• Rate limiting behavior, oversized responses, and unpaginated arrays that risk resource consumption.
• Data exposure patterns including emails, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack.
• Encryption hygiene such as HTTPS redirects, HSTS, cookie flags, and mixed content.
• SSRF against URL-accepting parameters and body fields, including active attempts to detect internal IPs.
• Inventory management findings like missing versioning and legacy path patterns.
• Unsafe consumption surfaces, including excessive third-party URLs and webhook/callback endpoints.
• LLM/AI security probes covering system prompt extraction, instruction override, jailbreaks, data exfiltration, and token smuggling across multiple scan tiers.

AdonisJS applications often expose an OpenAPI specification for documentation and client generation. The parser supports OpenAPI 3.0, 3.1, and Swagger 2.0, resolving recursive $ref references. By comparing the parsed contract against runtime behavior, the scanner surfaces undefined security schemes, unexpected sensitive fields, deprecated operations, and missing pagination that may indicate inefficient or insecure design.

{
  "openapi": "3.0.0",
  "info": { "title": "AdonisJS API", "version": "1.0.0" },
  "paths": {
    "/users/{id}": {
      "get": {
        "responses": {
          "200": {
            "description": "OK",
            "content": { "application/json": { "schema": { "type": "object" } } }
          }
        }
      }
    }
  }
}

Starting at the Starter tier, authenticated scanning is available for endpoints that require credentials. Supported methods include Bearer tokens, API keys, Basic auth, and Cookies. Before scanning with credentials, a domain verification gate ensures control: the scanner checks a DNS TXT record or an HTTP well-known file. Only the domain owner can run authenticated scans against that domain.

Header forwarding is limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. This restriction reduces noise and keeps scans focused on security-relevant interactions rather than implementation-specific details.

The scanner integrates into different stages of the development lifecycle. Use the CLI with middlebrick scan <url> for quick checks, or run the GitHub Action as a CI/CD gate that fails the build when the score drops below your chosen threshold. The MCP Server allows scanning from AI coding assistants such as Claude or Cursor.

Continuous monitoring (Pro tier) provides scheduled rescans every six hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift. Alerts are rate-limited to one email per hour per API. HMAC-SHA256 signed webhooks can notify internal systems, with auto-disable after five consecutive failures.

Findings map to compliance evidence for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, the scanner helps you prepare for and aligns with security controls described in relevant standards, but it does not certify compliance.