Alternatives to APIsec on Express

middleBrick is a self-service API security scanner that operates without agents, code access, or SDK integration. You submit an Express application URL and receive a risk score from A to F along with prioritized findings. The scanner uses read-only methods, including GET and HEAD, plus text-only POST for LLM probes, and completes a scan in under a minute.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023). It detects authentication bypasses and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA and privilege escalation through admin endpoint probing and role/permission field leakage. Additional categories include property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, data exposure patterns including PII and API key formats, encryption misconfigurations, SSRF indicators, and inventory management gaps. The tool also covers unsafe consumption surfaces and LLM/AI security with adversarial probes mapped to OWASP API Top 10 (2023).

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 for Express-based services, resolving $ref recursively and cross-referencing spec definitions against runtime behavior. It flags undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scans, which require the Starter tier or higher, supported methods include Bearer, API key, Basic auth, and Cookie. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, including Authorization, X-API-Key, Cookie, and X-Custom-*.

With Pro tier, middleBrick provides continuous monitoring for Express APIs, including scheduled rescans every 6 hours, daily, weekly, or monthly. It detects diffs between scans to surface new findings, resolved findings, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures. The tool integrates into workflows via a web dashboard for reports and score trends, a CLI with JSON or text output using middlebrick scan <url>, a GitHub Action that fails the build when the score drops below a threshold, an MCP server for AI coding assistants, and a programmatic API for custom integrations.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, as those require intrusive payloads outside scope. The tool does not detect business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking destructive payloads, and restricting private IPs, localhost, and cloud metadata endpoints. Customer scan data is deletable on demand, purged within 30 days of cancellation, never sold, and never used for model training.

middleBrick maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for audits and aligns with security controls described in relevant standards without claiming certification or compliance. Pricing tiers include Free with 3 scans per month and CLI access, Starter at $99 per month for 15 APIs with dashboard and alerts, Pro at $499 per month for 100 APIs with continuous monitoring and CI/CD integration, and Enterprise at $2,000 per month for unlimited APIs, custom rules, and dedicated support.