APIsec for AdonisJS

APIsec is a self-service API security scanner designed to integrate into AdonisJS projects without requiring code access or SDK installation. You submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. The scanner operates as a black-box solution, making no assumptions about language or framework internals. It supports read-only methods such as GET and HEAD, and text-only POST for LLM probes, with typical scan times under one minute. For AdonisJS applications, APIsec evaluates framework-specific defaults, auth middleware behavior, and error shapes to surface relevant security signals while avoiding assumptions about internal implementation details.

APIsec maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It also aligns with security controls described in other standards to support audit evidence collection. For AdonisJS APIs, the scanner checks authentication bypass paths, JWT configuration issues such as alg=none or missing claims, and security header compliance. It probes for BOLA and IDOR via sequential ID patterns and adjacent ID testing, and it inspects role or permission fields for BFLA and privilege escalation risks. Input Validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Data Exposure detection covers PII patterns, API key formats, and error or stack-trace leakage. Each finding includes remediation guidance rather than automated fixes.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. To perform authenticated scans, you must pass a domain verification gate, such as a DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit credentials. For AdonisJS applications, only specific headers are forwarded: Authorization, X-API-Key, Cookie, and X-Custom-* headers. The OpenAPI parser supports versions 3.0, 3.1, and Swagger 2.0, resolving recursive $ref entries and cross-referencing spec definitions against runtime behavior. This helps identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination in the context of AdonisJS API structures.

Pro tier features continuous monitoring for AdonisJS APIs, with scheduled rescans every 6 hours, daily, weekly, or monthly. The system detects diffs between scans, highlighting new findings, resolved issues, and score drift. Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks are supported with auto-disable after five consecutive failures. Integration options include a web dashboard for managing scans and viewing trend reports, a CLI via the middlebrick npm package using the command middlebrick scan <url> with JSON or text output, and a GitHub Action that can fail CI/CD builds when scores drop below a defined threshold. An MCP Server enables scanning from AI coding assistants, and a programmable API supports custom integrations for AdonisJS workflows.

APIsec does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection testing, as those require intrusive payloads outside the scanner scope. Business logic vulnerabilities are not detected, as they require domain-specific human review. The scanner also does not identify blind SSRF due to the lack of out-of-band infrastructure in scope, and it does not replace a human pentester for high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation, and it is never sold or used for model training.