APIsec for Buffalo

middleBrick maps findings directly to OWASP API Top 10 (2023). The scanner runs black-box requests against your Buffalo endpoints and compares observed behavior to the framework defaults and auth middleware patterns typical in Go applications.

It checks for authentication bypass, JWT misconfigurations, and security header issues that can arise when default configurations are extended. Where your routes expose public or admin surfaces, the scanner highlights over-exposure and missing authorization checks aligned with the framework routing layer.

Because Buffalo encourages structured APIs and server-side rendering, the tool cross-references spec expectations with runtime responses to surface validation and data exposure risks that can affect API consumers consuming Buffalo-generated payloads.

Authentication coverage includes multi-method bypass attempts, JWT alg=none checks, and misconfigured token validation. The scanner validates whether your Buffalo app correctly enforces middleware-based auth guards and whether tokens expose sensitive claims.

For apps using Bearer or API key styles, authenticated scanning verifies domain ownership via DNS TXT or a well-known file before testing protected routes. Only the domain owner can scan with credentials, and forwarded headers are limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The tool does not attempt to patch or enforce policies; it reports where current middleware behavior deviates from expected access control and provides remediation guidance aligned with the framework’s idiomatic patterns.

Input validation checks include CORS wildcard usage with and without credentials, dangerous HTTP methods, and debug endpoints that can appear in Buffalo applications with permissive routing.

SSRF probes target URL-accepting parameters and body fields, looking for internal IP detection and attempts to bypass known internal endpoints. These checks remain read-only and do not execute intrusive payloads.

Unsafe consumption detection surfaces excessive third-party URLs and webhook/callback configurations that may expose your app to external influence. The scanner identifies these surfaces and suggests restricting allowed targets and tightening callback validation.

middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents with recursive $ref resolution. It cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination controls.

For Buffalo apps that generate or validate OpenAPI specs, this comparison helps identify mismatches between declared routes and actual behavior, including missing security requirements and unexpected response leakage.

The analysis does not modify your spec or code; it surfaces discrepancies that may indicate where documentation or implementation drift could introduce risk.

Pro tier continuous monitoring supports scheduled rescans every 6 hours, daily, weekly, or monthly. It detects diffs between scans, including new findings, resolved findings, and score drift over time.

Email alerts are rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks disable automatically after 5 consecutive delivery failures. This helps maintain signal quality without overwhelming recipients.

You can download branded compliance PDFs from the Web Dashboard and integrate the scanner via CLI or GitHub Action, with CI/CD gates that fail the build when the score drops below your chosen threshold.