Alternatives to APIsec on LoopBack

middleBrick is a self-service API security scanner that operates as a black-box solution against LoopBack services. You submit a URL, and within under a minute you receive a risk score from A to F with prioritized findings. The scanner uses only read-only methods, including GET and HEAD, plus text-only POST for LLM probes, so it does not require access to source code, agents, or SDKs. This approach works regardless of the language, framework, or cloud environment hosting your LoopBack APIs.

The scanner maps findings to OWASP API Top 10 (2023) and covers 12 security categories relevant to LoopBack deployments. It detects authentication bypasses and JWT misconfigurations such as alg=none, weak algorithms, expired tokens, missing claims, and sensitive data in claims. It identifies BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and BFLA or privilege escalation through admin endpoint probing and role/permission field leakage. Additional coverage includes property authorization over-exposure, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate limiting and resource consumption signals, and data exposure patterns such as emails, Luhn-validated card numbers, context-aware SSNs, and API key formats. The scanner also checks encryption hygiene, SSRF risks via URL-accepting parameters, inventory management weaknesses like missing versioning, unsafe consumption surfaces, and LLM/AI security through adversarial probes across multiple scan tiers.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions for LoopBack projects, resolving recursive $ref structures and cross-referencing spec definitions against runtime findings. This helps identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination directly from the contract. For authenticated scanning, which is available from the Starter tier and above, the scanner supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials, and a strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard provides a centralized view of scans, score trends, and the ability to download branded compliance PDFs. The CLI, published as an npm package named middlebrick, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action is available to act as a CI/CD gate, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. For ongoing risk management, the Pro tier offers scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans to highlight new or resolved findings and score drift, rate-limited email alerts, HMAC-SHA256 signed webhooks with auto-disable after five consecutive failures, and Slack or Teams notifications.

middleBrick follows a read-only safety posture and never sends destructive payloads. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training. It is important to note that the scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, which falls outside its non-intrusive scope. It does not detect business logic vulnerabilities, blind SSRF, or replace a human pentester for high-stakes audits, as these require domain context and infrastructure out of scope for automated scanning.