Alternatives to APIsec on Koa

middleBrick is a self-service API security scanner that operates without agents or code access. You submit a target URL and receive a risk score from A to F with prioritized findings. The scanner uses read-only methods (GET and HEAD) and text-only POST for LLM probes, completing in under a minute. This approach works regardless of language or framework, so Koa services can be assessed without instrumentation or runtime changes.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023). For Koa-based APIs, relevant detections include authentication bypass and JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation through admin endpoint probing, and over-exposed properties or mass-assignment surfaces. It also flags CORS wildcards, dangerous HTTP methods, debug endpoints, rate-limit header inconsistencies, PII patterns including email and context-aware SSN, API key formats across providers, HTTPS and HSTS misconfigurations, SSRF indicators in URL-accepting parameters, and versioning or server fingerprinting issues.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution, cross-referencing spec definitions against runtime findings for Koa APIs. This identifies undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and cookies, with a domain verification gate that requires DNS TXT record or HTTP well-known file proof. Only specific headers are forwarded, limiting noise and preserving safety.

Pro tier enables scheduled rescans every 6 hours, daily, weekly, or monthly, with diff detection across scans to surface new findings, resolved findings, and score drift for Koa services. Alerts are rate-limited to one per hour per API and delivered via email; HMAC-SHA256 signed webhooks disable after five consecutive failures. The tool integrates with web dashboards, the middlebrick CLI, GitHub Actions for CI/CD gating, and an MCP server for AI coding assistants, allowing programmatic access for custom workflows.

The scanner includes LLM / AI Security testing with 18 adversarial probes across Quick, Standard, and Deep tiers. These probes assess system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. The scanner maintains a strict safety posture: it uses read-only methods only, blocks private IPs, localhost, and cloud metadata endpoints, and deletes customer data on demand within 30 days of cancellation.

middleBrick does not fix, patch, block, or remediate findings; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, detect business logic vulnerabilities, or provide blind SSRF coverage. It is not an auditor and cannot certify compliance. The tool maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023), and it helps you prepare for or align with security controls described in other frameworks without claiming certification or guarantees.