APIsec for Backend-for-Frontend (BFF)

Backend-for-Frontend patterns consolidate multiple domain services into a backend tailored for a specific client, reducing chatty client interactions. This consolidation introduces a broad attack surface where APIsec for Backend-for-Frontend (BFF) applies continuous security validation. The scanner evaluates the BFF endpoints that aggregate data and enforce authorization, focusing on authentication bypass, broken object level authorization, and data exposure risks common to aggregated APIs.

APIsec maps findings to OWASP API Top 10 (2023), PCI-DSS 4.0, and SOC 2 Type II controls, providing structured evidence to support audit activities. Coverage includes authentication misconfigurations such as JWT alg=none, weak secret choices, and missing claims validation. The scanner detects BOLA and IDOR via sequential ID enumeration and active adjacent-ID probing, and identifies BFLA through admin endpoint discovery and privilege disclosure checks. Other categories include property authorization over-exposure, CORS wildcard usage, rate-limit header inconsistencies, and PII or API key leakage patterns aligned with regulatory evidence requirements.

APIsec operates as a black-box scanner with no agents, no SDK integration, and no code access, making it applicable to any language or framework used by a BFF. Scan time remains under a minute using read-only methods and text-only POST for LLM probes. The tool does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities that require domain understanding, and does not replace a human pentester for high-stakes audits. Blind SSRF and certain zero-day chains are out of scope because they rely on out-of-band infrastructure or intrusive payloads.

Authenticated scanning in Starter tier and above supports Bearer, API key, Basic auth, and Cookie methods, gated by domain verification through DNS TXT records or an HTTP well-known file. Only specific headers are forwarded, including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Customer scan data is deletable on demand and purged within 30 days of cancellation. The scanner employs read-only methods, blocks private and localhost endpoints, and ensures data is never used for model training or sold to third parties.

APIsec integrates into existing workflows via a CLI (middlebrick scan <url>) with JSON or text output, a Web Dashboard for trend tracking and branded compliance PDFs, and a GitHub Action that can fail builds when scores drop below a threshold. The MCP Server enables scanning from AI coding assistants, and the Pro tier adds scheduled rescans, diff detection, email alerts rate-limited to one per hour per API, HMAC-SHA256 signed webhooks, and Slack or Teams notifications. These capabilities support continuous monitoring without introducing runtime risk to production BFF services.