SPA backends security

Single-page applications rely on a backend API for authentication, data, and business logic. Because the client is fully observable, attackers focus on the API surface rather than the UI. Black-box scanning targets endpoints that handle user sessions, tokens, and dynamic data paths. The implicit trust of frontend-originated requests makes authentication, authorization, and input validation critical controls.

The scanner evaluates how APIs manage identity and transport security. It checks for JWT misconfigurations such as alg=none, weak HS256 keys, expired tokens, missing standard claims, and sensitive data embedded in payloads. Security headers and WWW-Authenticate compliance are assessed to verify proper challenge and protection mechanisms. These checks map findings to OWASP API Top 10 controls around identification and authentication failures.

BOLA and BFLA are tested through ID enumeration and privilege escalation probes. Sequential ID patterns are followed by adjacent ID scanning to detect insecure direct object references. Admin endpoint discovery and role/permission field inspection surface authorization bypass risks. Findings align with OWASP API Top 10 and support audit evidence for SOC 2 Type II control observance.

Input validation checks include CORS wildcard usage with credentials, dangerous HTTP methods, and debug endpoints. Data exposure detection targets PII patterns such as emails, Luhn-validated card numbers, context-aware SSN formats, and API key leaks. Infrastructure safety measures block private IPs, localhost, and cloud metadata endpoints, ensuring scans remain read-only and non-intrusive. These findings help you prepare for security controls described in PCI-DSS 4.0 and related standards.

OpenAPI 3.0, 3.1, and Swagger 2.0 files are parsed with recursive $ref resolution. The scanner cross-references spec definitions against runtime behavior to find undefined security schemes, sensitive fields, deprecated operations, and missing pagination. Authenticated scans support Bearer, API key, Basic auth, and cookies, guarded by domain verification to ensure only domain owners can scan with credentials. Header allowlists restrict forwarded headers to Authorization, X-API-Key, Cookie, and X-Custom-*.

The scanner does not perform active SQL injection or command injection, as those require intrusive payloads outside its scope. Business logic vulnerabilities and blind SSRF are not detectable without out-of-band infrastructure or domain knowledge. It does not replace a human pentester for high-stakes audits. Use the tool for continuous monitoring and to surface findings relevant to audits, while relying on specialists for deep validation.