APIsec for Django

Django projects often rely on built-in protections such as the admin interface, CSRF middleware, and permission classes to secure HTTP endpoints. APIsec operates as a black-box scanner against these public surfaces, requiring no agents, SDKs, or access to source code. The tool submits only read-only methods, including GET and HEAD, plus text-only POST for LLM probes, ensuring no destructive payloads are delivered during a scan.

Because Django applications can expose REST patterns via custom views or third-party packages, the scanner validates the runtime behavior rather than assumptions in configuration. You submit a URL, and within under one minute you receive a risk score from A to F along with prioritized findings mapped to the OWASP API Top 10 (2023).

APIsec parses OpenAPI 3.0, 3.1, and Swagger 2.0 when provided, resolving recursive $ref entries and cross-referencing spec definitions against runtime responses. For Django APIs documented with an OpenAPI spec, the scanner checks for undefined security schemes, sensitive fields in responses, deprecated operations, and missing pagination that can lead to excessive data exposure.

Important limitations apply: the scanner does not inspect Django middleware stacks, settings, or model logic. It does not execute SQL, trigger business logic mutations, or test authentication backends beyond what is observable over HTTP. Findings such as insecure deserialization or complex workflow bypasses that require domain knowledge are outside the scope of automated detection.

When testing Django-hosted APIs, APIsec focuses on observable behaviors and configurations that commonly lead to vulnerabilities. The tool tracks authentication bypass attempts, including malformed or missing tokens, and examines JWT configurations such as alg=none, weak algorithms like HS253 where inappropriate, expired tokens, and missing standard claims.

It probes for Broken Object Level Authorization (BOLA) and Insecure Direct Object References (IDOR) by testing sequential ID enumeration and adjacent ID access where URL patterns allow. Security headers, WWW-Authenticate compliance, CORS wildcard usage with and without credentials, and exposure of PII such as email or context-aware SSN patterns are also evaluated.

With Starter tier access and above, you can enable authenticated scanning for Django APIs that require credentials. Supported methods include Bearer tokens, API keys, Basic auth, and Cookie-based sessions. Before scanning with credentials, the platform enforces a domain verification gate, requiring either a DNS TXT record or an HTTP well-known file to confirm domain ownership.

When authenticated scans are active, only a strict header allowlist is forwarded: Authorization, X-API-Key, Cookie, and X-Custom-*. This control limits side effects and ensures that only intended requests reach the Django application during testing.

findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other regulatory contexts, the tool aligns with security controls described in relevant standards and supports audit evidence collection through detailed scan outputs.

Reports include risk scores, prioritized findings, and remediation guidance. You can download branded compliance PDFs from the web dashboard, track score trends over time, and integrate scans into CI/CD pipelines using the GitHub Action, which can fail the build when the score drops below a defined threshold.