APIsec for SPA backends

SPA backends often expose a broad attack surface through dynamic endpoints and permissive CORS. This scanner evaluates the backend independently of the frontend, focusing on HTTP interfaces rather than client code.

It checks authentication mechanisms, CORS wildcard usage, and HTTP method exposure. Sensitive data patterns, API key formats, and error handling are analyzed to identify inadvertent information leakage that can assist an attacker targeting a SPA.

The scanner validates whether backend routes align with expected resource boundaries, looking for ID enumeration and over-permissive origins that undermine isolation between client sessions.

Findings map directly to OWASP API Top 10 (2023), covering the most common API risks observed in production.

• Authentication weaknesses such as JWT alg=none, weak key configurations, and missing claims are detected.
• BOLA and IDOR are identified through sequential ID patterns and active adjacent-ID probing.
• BFLA and privilege escalation are surfaced via admin endpoint discovery and role/permission leakage.
• Property over-exposure and mass-assignment risks are highlighted when internal fields are returned unintentionally.
• Input validation issues include CORS wildcard with credentials and dangerous HTTP methods.
• Rate limiting misconfigurations are flagged through missing headers and oversized responses.
• Data exposure checks for PII patterns, API key formats, and error/stack-trace disclosure.
• SSRF indicators are evaluated via URL-accepting parameters and active IP-bypass attempts.
• LLM security probes target system prompt extraction, instruction override, and data exfiltration paths.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents, resolving recursive $ref references to build an accurate interface model.

It cross-references the spec with runtime behavior to surface undefined security schemes, deprecated operations, and missing pagination controls. Sensitive fields defined in the spec are compared against actual responses to detect over-exposure.

This approach helps identify mismatches between documented and implemented behavior, which commonly leads to insecure default configurations in rapidly evolving APIs.

Authenticated scans are available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies.

Before credentials are accepted, a domain verification gate must pass using a DNS TXT record or an HTTP well-known file. This ensures only the domain owner can scan with privileged access.

To limit exposure, the scanner forwards only a strict allowlist of headers: Authorization, X-API-Key, Cookie, and X-Custom-*.

Pro tier enables scheduled rescans at intervals of six hours, daily, weekly, or monthly, with diff detection across runs.

• New findings and resolved findings are tracked, along with score drift over time.
• Email alerts are rate-limited to one per hour per API to avoid noise.
• HMAC-SHA256 signed webhooks are delivered, with auto-disable after five consecutive failures.

Integrations include a web dashboard for reporting, a CLI via the middlebrick npm package, a GitHub Action for CI/CD gating, and an MCP Server for AI coding assistants.