OpenAPI-first APIs security

An OpenAPI-first approach treats the specification as the source of truth for testing and validation. middleBrick parses OpenAPI 3.0, 3.1, and Swagger 2.0 documents and resolves recursive $ref chains to build a complete inventory of paths, parameters, and schemas. The scanner cross-references the spec against runtime responses to surface undefined security schemes, deprecated operations, and missing pagination. Because the scan is read-only, it aligns with black-box testing workflows while avoiding intrusive payloads that could affect production state.

The scanner evaluates 12 categories aligned to OWASP API Top 10 (2023) using only read-only methods (GET and HEAD) plus text-only POST for LLM probes. It maps findings to the framework by reporting authentication bypass patterns, JWT misconfigurations such as alg=none or expired tokens, and security header compliance. It detects BOLA and BFLA via sequential ID enumeration and admin endpoint probing, and identifies data exposure through PII patterns and API key formats like AWS and GitHub. Input validation checks include CORS wildcard usage and dangerous HTTP methods, while rate limiting is assessed via response headers and oversized responses.

• Authentication and security header checks
• Broken object level authorization and IDOR
• Broken function level authorization and privilege escalation
• Property over-exposure and mass-assignment surface
• Input validation and unsafe HTTP methods
• Rate limiting and oversized response detection
• Data exposure including credit card Luhn checks and error leakage
• SSRF probes against URL-accepting parameters
• LLM security across Quick, Standard, and Deep tiers

Authenticated scanning (Starter tier and above) supports Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through DNS TXT records or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist including Authorization, X-API-Key, Cookie, and X-Custom-* headers. Safety measures include blocking private IPs, localhost, and cloud metadata endpoints at multiple layers. All scans are read-only, and destructive payloads are never sent. Customer data is deletable on demand and purged within 30 days of cancellation.

By parsing the specification, the scanner identifies undefined security schemes, sensitive fields, and deprecated operations that do not conform to best practices. Continuous monitoring (Pro tier) runs scheduled rescans every 6 hours, daily, weekly, or monthly and tracks score drift by diffing findings across runs. Alerts are rate-limited to one per hour per API, and webhooks are HMAC-SHA256 signed and auto-disabled after 5 consecutive failures. The system tracks remediation through score trends and provides branded compliance PDFs for documentation purposes.

The Web Dashboard centralizes scan results, score trends, and report downloads. The CLI supports commands such as middlebrick scan <url> with JSON or text output. A GitHub Action can gate CI/CD, failing the build when the score drops below a chosen threshold. The MCP Server enables scanning from AI coding assistants, and the API client supports custom integrations. Pricing starts with a free tier at zero cost for 3 scans per month, moving to Starter at 15 APIs, Pro at 100 APIs with continuous monitoring and compliance features, and Enterprise for unlimited APIs with custom rules and SLA-backed support.