APIsec for Actix Web

middleBrick is a self-service API security scanner that operates against Actix Web endpoints without requiring code access, agents, or SDK integration. You submit a target URL and receive a risk score from A to F along with prioritized findings. The scan completes in under a minute and uses only read-only methods (GET and HEAD) plus text-only POST for LLM probes, ensuring no destructive operations are performed against your services.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It covers requirements of these standards by surfacing relevant evidence for common API risks. For other regulations, middleBrick helps you prepare for audits by aligning with security controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, FERPA through detection patterns such as sensitive data exposure, weak authentication, and insecure error handling.

middleBrick evaluates Actix Web defaults and auth middleware behavior without assuming framework internals. It checks security headers, cookie flags, HTTPS redirect chains, and HSTS presence as they apply to any backend. The tool probes IDOR via sequential ID patterns and tests BOLA and BFLA by exercising endpoints with different identity contexts. PII patterns such as email, Luhn-validated card numbers, and context-aware SSN are matched against responses to detect over-exposure through Actix Web serializers or logging behavior. Error and stack-trace leakage is surfaced when stack traces or internal paths appear in responses, which can indicate misconfigured Actix Web error handlers.

Authenticated scanning is available from Starter tier onward for Actix Web services. Supported methods include Bearer tokens, API keys, Basic auth, and Cookie-based sessions. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers, preventing unintended data leakage during authenticated probes of Actix Web routes.

When an OpenAPI 3.0, 3.1, or Swagger 2.0 specification is provided, middleBrick parses the document with recursive $ref resolution and cross-references spec definitions against runtime findings for Actix Web services. This highlights undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination that may amplify risk. Continuous monitoring in Pro tier supports scheduled rescans every 6 hours, daily, weekly, or monthly for Actix Web deployments, with diff detection across scans to surface new findings, resolved issues, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks can notify external systems with auto-disable after five consecutive failures.