Alternatives to APIsec on Axum

middleBrick is a self-service API security scanner that operates as a black-box solution. Submit a target URL and receive a risk score from A to F with prioritized findings. It requires no agents, no SDK integration, and no access to source code, making it applicable to services built on Axum as well as other languages and frameworks. Scan completion typically occurs in under a minute, and only read-only methods (GET and HEAD) plus text-only POST for LLM probes are used.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023). For authentication issues, it identifies multi-method bypasses and JWT misconfigurations such as alg=none, HS256 usage, expired tokens, missing claims, and sensitive data in claims. It flags BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA / privilege escalation through admin endpoint probing and role/permission field leakage. Property authorization checks include over-exposure and internal field leakage, while input validation tests for dangerous HTTP methods and CORS wildcard configurations, including cases with credentials. Rate limiting and resource consumption are assessed by inspecting rate-limit headers and oversized responses, and data exposure includes detection of PII patterns and API key formats. Encryption checks verify HTTPS redirects, HSTS, and cookie flags. SSRF probes target URL-accepting parameters and internal IP bypass attempts. The scanner also covers inventory management, unsafe consumption surfaces, and LLM / AI Security through 18 adversarial probes across Quick, Standard, and Deep tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution, then cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which are available from the Starter tier and above, support includes Bearer, API key, Basic auth, and Cookie-based authentication. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only the domain owner can run authenticated scans. A strict header allowlist is applied, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, distributed as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants including Claude and Cursor. An API client provides programmatic access for custom integrations.

Pro tier adds continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to highlight new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks are supported with auto-disable after five consecutive failures.

middleBrick adopts a read-only posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and never used for model training. It maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks and controls, it helps you prepare for audits and surfaces findings relevant to compliance evidence. Note that the tool does not fix, patch, block, or remediate issues, does not perform active SQL injection or command injection testing, and does not detect business logic or blind SSRF vulnerabilities. It is not a replacement for a human pentester in high-stakes audits.