APIsec for Axum

APIsec is a self-service API security scanner that assesses public endpoints and authenticated Axum services. Submit an API URL and receive a risk score from A to F with prioritized findings. The scanner performs black-box requests only, using read-safe methods (GET and HEAD) and text-only POST for LLM probes, completing a scan in under a minute.

Axum applications often rely on middleware for routing, authentication, and error handling. APIsec detects mismatches between declared security schemes and runtime behavior, such as missing guards on admin routes, leaked role or permission fields in JSON responses, and verbose error payloads that expose stack traces. It checks for CORS wildcard configurations that allow credentials, dangerous HTTP methods enabled via axum-extra, and debug or health endpoints reachable in production-like scans. Findings are mapped to OWASP API Top 10 (2023) and aligned with security controls described in SOC 2 Type II and PCI-DSS 4.0.

For authenticated scans at the Starter tier and above, APIsec supports Bearer tokens, API keys, Basic auth, and cookie-based sessions. Before scanning, a domain verification gate confirms ownership via DNS TXT record or an HTTP well-known file, ensuring only the domain owner can submit credentials. When credentials are provided, the scanner sends only a restricted header allowlist: Authorization, X-API-Key, Cookie, and X-Custom-*. This approach supports continuous monitoring for Axum APIs, including scheduled rescans and diff detection to highlight new findings or resolved issues across scans.

APIsec parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents for Axum-based services, resolving recursive $ref references. It cross-references the specification against runtime responses to identify undefined security schemes, over-exposed sensitive fields, deprecated operations, and missing pagination. This helps surface integration points that may not be actively monitored and supports audit evidence for controls relevant to compliance frameworks. The scanner also detects mismatches between declared response schemas and actual payloads, including unexpected PII or API key formats such as AWS, Stripe, GitHub, and Slack patterns.

APIsec includes an LLM / AI security scan that runs 18 adversarial probes across three tiers: Quick, Standard, and Deep. Probes target system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration attempts, cost exploitation, encoding bypasses (base64/ROT13), translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. These checks help identify prompt-injection surfaces and model-manipulation risks in Axum services that expose generative endpoints or inference interfaces.