New product launch API security check

This tool is a self-service API security scanner designed to fit into existing workflows without requiring code changes. You submit an API endpoint URL and receive a risk score from A to F along with prioritized findings. The scan is black-box, meaning it operates without agents, SDKs, or access to source code, and supports any language, framework, or cloud environment. Typical scan duration is under one minute, using read-only methods such as GET and HEAD, with text-only POST support for LLM probes.

The scanner evaluates 12 security categories aligned to the OWASP API Top 10 (2023). It covers Authentication issues such as JWT misconfigurations including alg=none, weak shared secrets, expired tokens, missing claims, and sensitive data in claims. It also assesses security headers and WWW-Authenticate compliance. Additional categories include Broken Object Level Authorization (BOLA) and Insecure Direct Object References (IDOR) through sequential ID enumeration and active adjacent-ID probing. Other findings include Broken Function Level Authorization (BFLA) and privilege escalation indicators, over-exposed properties and internal field leakage, and Input Validation issues such as CORS wildcard usage and dangerous HTTP methods. The scanner detects missing rate limiting, oversized responses, and unpaginated arrays that can lead to resource consumption. Data exposure checks identify PII patterns, valid credit card numbers, API key formats, and error or stack trace leakage. Encryption checks verify HTTPS redirects, HSTS presence, and cookie flags. Server-side request forgery (SSRF) probes target URL-accepting parameters and internal IP detection. Inventory management weaknesses such as missing versioning and legacy path patterns are surfaced, along with unsafe consumption surfaces like excessive third-party URLs and webhook endpoints. The scanner also includes 18 adversarial probes for LLM and AI Security across multiple depth tiers.

The scanner parses OpenAPI 3.0, 3.1, and Swagger 2.0 definitions with recursive $ref resolution. It cross-references the specification against runtime findings to highlight undefined security schemes, sensitive fields, deprecated operations, and missing pagination. For authenticated scanning, support is provided for Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file, ensuring only the domain owner can submit credentials. A strict header allowlist limits forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-* headers to minimize exposure during testing.

For ongoing risk management, the Pro tier offers scheduled rescans at intervals of six hours, daily, weekly, or monthly. It detects diffs between scans to surface new findings, resolved items, and score drift. Alerts are delivered via email at a rate-limited frequency of one per hour per API, and HMAC-SHA256 signed webhooks are supported with auto-disable after five consecutive failures. The platform integrates with common tools through a Web Dashboard for reporting and trend analysis, a CLI via an npm package for terminal-based scans, a GitHub Action for CI/CD gating that fails builds when thresholds are exceeded, and an MCP Server for use with AI coding assistants. Programmatic access is available through an API client for custom integrations.

The scanner is designed with a read-only safety posture, ensuring no destructive payloads are ever sent. Private IP addresses, localhost, and cloud metadata endpoints are blocked at multiple layers. Customer scan data can be deleted on demand and is purged within 30 days of cancellation. The product does not perform active SQL injection or command injection testing, does not attempt to fix, patch, or block issues, and does not detect business logic vulnerabilities, which require domain-specific human analysis. It does not replace a human pentester for high-stakes audits. Findings are mapped to support compliance evidence for PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other frameworks, it helps you prepare for and aligns with security controls described in relevant standards without asserting certification or guaranteed compliance.