APIsec for Solo founders

This is a black-box API security scanner. You submit a URL and receive a risk score from A to F with prioritized findings. It uses read-only methods (GET and HEAD) and text-only POST for LLM probes, completing a scan in under a minute. No agents, no SDKs, and no code access are required, and it supports any language, framework, or cloud.

The scanner detects issues across 12 categories aligned to OWASP API Top 10 (2023). It identifies authentication bypasses and JWT misconfigurations, BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation attempts, and over-exposed properties or mass-assignment surfaces. It flags dangerous CORS wildcards, debug endpoints, and risky HTTP methods; detects rate-limit headers, oversized responses, and unpaginated arrays; finds PII patterns such as email addresses, Luhn-validated card numbers, context-aware SSNs, and API key formats for AWS, Stripe, GitHub, and Slack; observes HTTPS redirects, HSTS, and cookie flags; and maps findings to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023).

For LLM security, it runs 18 adversarial probes across three scan tiers named Quick, Standard, and Deep, testing for system prompt extraction, instruction override, DAN and roleplay jailbreaks, data exfiltration, cost exploitation, encoding bypasses, translation-embedded injection, few-shot poisoning, markdown injection, multi-turn manipulation, indirect prompt injection, token smuggling, tool abuse, nested instruction injection, and PII extraction. OpenAPI files in versions 3.0, 3.1, and Swagger 2.0 are parsed with recursive $ref resolution, and spec definitions are cross-referenced against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Authenticated scanning is available from Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Before credentials are accepted, a domain verification gate checks a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a restricted set of headers, limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, available as an npm package, supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action provides CI/CD gating that fails the build when the score drops below a chosen threshold, and an MCP Server enables scanning from AI coding assistants such as Claude and Cursor.

Pro tier enables continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. It provides diff detection across scans to surface new findings, resolved findings, and score drift. Alerts are sent via email at a rate-limited pace of 1 per hour per API, and webhooks are HMAC-SHA256 signed, with auto-disable after 5 consecutive failures.

This scanner does not fix, patch, block, or remediate issues; it detects and reports with remediation guidance. It does not execute active SQL injection or command injection tests, which require intrusive payloads outside its scope. It does not identify business logic vulnerabilities, blind SSRF relying on out-of-band infrastructure, or replace a human pentester for high-stakes audits.

Safety measures include read-only methods only, with destructive payloads never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data is deletable on demand and purged within 30 days of cancellation; data is never sold and never used for model training.