Prompt Security review

This tool is a self-service API security scanner that accepts a URL and returns a risk grade from A to F along with prioritized findings. It operates as a black-box scanner, requiring no agents, SDKs, or code access and supporting any language, framework, or cloud. Scan duration is under one minute, using read-only methods such as GET and HEAD, with text-only POST for LLM probes. The engine parses OpenAPI 3.0, 3.1, and Swagger 2.0 specs with recursive $ref resolution and cross-references definitions against runtime behavior to surface undefined security schemes and deprecated operations.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023). Findings map directly to PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 controls, providing audit evidence for common requirements in those frameworks. Detection coverage includes authentication bypass and JWT misconfigurations, broken object level authorization and IDOR, broken function level authorization and privilege escalation, property authorization and over-exposed fields, input validation issues such as CORS misconfigurations and dangerous methods, rate limiting and resource consumption indicators, data exposure including PII patterns and API key formats, encryption and transport weaknesses, SSRF indicators, inventory management issues, unsafe consumption surfaces, and LLM/AI security probes across tiered scan depths.

Authenticated scanning is available from the Starter tier upward, supporting Bearer tokens, API keys, Basic authentication, and cookies. Domain verification is enforced via DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* values. Safety measures include read-only methods only, blocking of private IPs, localhost, and cloud metadata endpoints across multiple layers, and a clear policy that customer scan data is deletable on demand and never used for model training.

Results are accessed through a web dashboard that supports scanning, report viewing, score trend tracking, and downloadable branded compliance PDFs. The CLI, published as an npm package, enables commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD pipelines, failing builds when scores drop below a defined threshold. The MCP server allows scanning from AI coding assistants. For ongoing coverage, Pro tier provides scheduled rescans, diff detection between runs, email alerts at a rate-limited cadence, HMAC-SHA256 signed webhooks with auto-disable after repeated failures, and Slack or Teams notifications.

The tool does not fix, patch, block, or remediate issues; it detects and reports with guidance. It does not perform active SQL injection or command injection tests, which fall outside its read-only design. Business logic vulnerabilities require domain expertise and are out of scope, and blind SSRF detection is not supported due to the absence of out-of-band infrastructure. The scanner does not replace a human pentester for high-stakes audits. Organizations should treat its output as one input to a broader security program and validate findings in their specific environment.