APIsec for SREs

This scanner is a self-service API security tool designed for environments where deployment pipelines and runtime observability must remain distinct from deep security testing. You submit a target URL and receive a risk score from A to F along with prioritized findings within a minute. The scan is read-only, using GET and HEAD methods by default, with text-only POST allowed for LLM probes. It maps findings to three frameworks, including OWASP API Top 10 (2023), and helps you prepare for security reviews aligned with SOC 2 Type II and PCI-DSS 4.0.

The scanner covers 12 categories aligned to OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations such as alg=none and expired tokens, BOLA and IDOR via sequential ID probing, BFLA and privilege escalation indicators, property over-exposure, input validation issues like CORS wildcard and dangerous methods, rate limiting and resource consumption signals, data exposure patterns including PII and API key formats, encryption and cookie hygiene, SSRF indicators in URL-accepting parameters, inventory issues such as missing versioning, and LLM/AI security probes across Quick, Standard, and Deep tiers. It does not perform active SQL injection or command injection testing, does not detect business logic vulnerabilities, does not confirm blind SSRF, and does not replace a human pentester for high-stakes audits.

The tool parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution, cross-referencing spec definitions against runtime findings such as undefined security schemes, sensitive field exposure, deprecated operations, and missing pagination. Authenticated scanning supports Bearer, API key, Basic auth, and Cookie methods. Domain verification is enforced through DNS TXT records or an HTTP well-known file so that only domain owners can scan with credentials. A strict header allowlist permits only Authorization, X-API-Key, Cookie, and X-Custom-* headers to reach your API.

The Web Dashboard centralizes scans, report viewing, score trend tracking, and branded compliance PDF downloads. The CLI via the middlebrick npm package supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a defined threshold. The MCP Server enables scanning from AI coding assistants like Claude and Cursor. Pro tier adds scheduled rescans every 6 hours, daily, weekly, or monthly, diff detection across scans, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures.

Scan behavior is strictly read-only; destructive payloads are never sent. Private IPs, localhost, and cloud metadata endpoints are blocked at three layers. Customer data is deletable on demand and purged within 30 days of cancellation. It is not used for model training and is never sold. The tool surfaces findings relevant to compliance evidence and supports audit preparation without claiming certification or guarantees for any regulation.