API security for SREs

An API security scanner for SREs focuses on runtime behavior rather than source code. It is a black-box scanner that submits read-only methods (GET and HEAD) and text-only POST probes to a target endpoint and returns a risk score from A to F with prioritized findings. The scan completes in under a minute and does not require agents, SDKs, or code access, so it works across languages, frameworks, and clouds.

The scanner maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). It also helps you prepare for audit evidence across other frameworks through alignment, not certification. Detection categories include authentication bypass and JWT misconfigurations (such as alg=none, HS256, expired or missing claims), BOLA and IDOR via sequential ID enumeration, BFLA and privilege escalation via admin endpoint probing, over-exposed properties and mass-assignment surfaces, input validation issues like CORS wildcard usage and dangerous HTTP methods, rate-limiting and resource consumption signals, PII and API key exposure patterns, missing transport protections, SSRF indicators involving URL-accepting parameters, and inventory management gaps such as missing versioning. The scanner also includes LLM / AI security probes covering prompt injection, jailbreak, data exfiltration, and token smuggling across multiple tiers.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 with recursive $ref resolution and cross-references spec definitions against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scanning requires domain verification via DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. Supported auth methods include Bearer, API key, Basic auth, and Cookie. A strict header allowlist is enforced, forwarding only Authorization, X-API-Key, Cookie, and X-Custom-* headers.

Use the CLI (middlebrick scan <url>) for on-demand scans with JSON or text output, or integrate the GitHub Action as a CI/CD gate that fails the build when the score drops below your threshold. The Web Dashboard centralizes scans, trends, and branded compliance PDFs. For ongoing risk management, the Pro tier offers scheduled rescans, diff detection across runs, email alerts rate-limited to one per hour per API, and HMAC-SHA256 signed webhooks that auto-disable after five consecutive failures. The MCP Server enables scanning from AI coding assistants such as Claude and Cursor.

The scanner does not fix, patch, block, or remediate; it detects and reports with remediation guidance. It does not perform active SQL injection or command injection tests, does not detect business logic vulnerabilities, and does not perform blind SSRF testing. It is not a replacement for a human pentester in high-stakes audits. Safety measures include read-only methods only, blocking private IPs, localhost, and cloud metadata endpoints at multiple layers, and allowing customer data deletion on demand within 30 days of cancellation. Customer data is never sold or used for model training.