Alternatives to APIsec on FeathersJS

middleBrick is a self-service API security scanner that operates without agents or code access. You submit a URL and receive a risk score from A to F with prioritized findings. The scanner supports any language and framework, including FeathersJS, because it works entirely at the network level using read-only methods (GET and HEAD) plus text-only POST for LLM probes. Scan completion typically occurs in under a minute, and sensitive endpoints defined in your FeathersJS service are evaluated for exposure and misconfiguration.

The scanner maps findings to OWASP API Top 10 (2023) and covers areas relevant to FeathersJS integrations. Detection categories include authentication bypass and JWT misconfigurations, such as alg=none and HS256 usage, security headers validation, and WWW-Authenticate compliance. Other categories include Broken Object Level Authorization (BOLA / IDOR) testing like sequential ID enumeration, Broken Function Level Authorization (BFLA) checks for admin endpoint probing, and Property Authorization over-exposure. Input Validation includes CORS wildcard detection and dangerous HTTP methods, while Data Exposure searches for PII patterns, API key formats, and error/stack-trace leakage. SSRF probes target URL-accepting parameters and internal IP detection, and the scanner reviews Inventory Management issues such as missing versioning and server fingerprinting. LLM / AI Security testing includes system prompt extraction and jailbreak probes to surface risks in AI-assisted endpoints.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution and cross-references spec definitions against runtime findings for FeathersJS services. This helps identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination in your API specification. Authenticated scanning is available from the Starter tier and above, supporting Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced so only the domain owner can scan with credentials, and a strict header allowlist ensures only Authorization, X-API-Key, Cookie, and X-Custom-* headers are forwarded.

Pro tier provides continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift across scans of your FeathersJS API. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks auto-disable after 5 consecutive failures. The tool integrates into your existing workflows via a Web Dashboard for scan management and report downloads, a CLI with JSON or text output, a GitHub Action that can fail the build on low scores, an MCP Server for AI coding assistants, and a programmable API for custom integrations.

middleBrick uses read-only methods only and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers, and customer scan data is deletable on demand and purged within 30 days of cancellation. The tool does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection, does not detect business logic vulnerabilities, and does not replace a human pentester for high-stakes audits. For compliance, findings map to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10, and the tool helps you prepare for audit evidence without asserting certification or guarantees.