API Security Scanner
Point it at any REST or GraphQL endpoint for an instant, board-ready posture — auth, rate-limiting, injection, data exposure and misconfiguration, each mapped to OWASP + CWE with the fix.
Scan an endpoint
Live request · no data storedRequest Headers
Quick add:
Equivalent cURL
curl -X GET 'https://api.example.com/v1/resource' \
-H 'Content-Type: application/json'Your posture appears here
Enter an endpoint or pick a sample, then run a scan to see the live grade, severity breakdown and OWASP map.
How the scanner actually works
No black box. From your browser we send the request to our server, which performs the analysis and returns exactly what it saw — every finding above is derived from the target’s own live response, not a canned checklist.
Live request
Your browser posts the target URL to our Node server, which issues one real request with your chosen method, headers and body — following redirects, with a 12-second timeout.
fetch(url, { method, headers, redirect: follow })
Header & transport read
We capture the full response-header set, status, latency and body size, then grade eight security headers and the TLS/HSTS posture against their observed values.
response.headers → HSTS · CSP · XFO · XCTO · Referrer · Permissions · COOP · CORP
Stack fingerprinting
Server, X-Powered-By, CDN markers (cf-ray, x-vercel-id, via) and session-cookie names are matched against a rule-set to identify the CDN, web server, framework and language — flagging any version leak.
Server · X-Powered-By · X-AspNet-Version · cf-ray · PHPSESSID · JSESSIONID …
CORS & cookies
The Access-Control-Allow-Origin / Allow-Credentials pair is analysed for the dangerous wildcard-with-credentials case, and every Set-Cookie is parsed for Secure / HttpOnly / SameSite.
ACAO=* + ACAC=true → high · missing Secure/HttpOnly/SameSite → flag
Method & GraphQL probe
A non-destructive OPTIONS preflight reveals advertised methods; GraphQL endpoints get one read-only introspection query to check whether the schema is exposed.
OPTIONS → Allow header · POST {__schema{queryType{name}}}
Secret & PII scan → scoring
The response body is regex-scanned for JWTs, cloud keys, private keys, cards, emails and stack traces. Findings are weighted by severity into a 0–100 score, an A+–F grade, and OWASP API Top-10 mapping.
critical −25 · high −15 · medium −8 · low −3 → grade
Strictly non-destructive & authorized-use only. The scanner sends one normal request, one OPTIONS preflight, and (for GraphQL) one read-only introspection query. It never sends injection payloads, brute-forces, or writes data. Internal, localhost and link-local addresses are blocked to prevent SSRF. Only scan endpoints you own or are permitted to test.
What we test — and why it matters
Every check runs against your live endpoint and maps to a real-world attack path, not a checkbox.
Authentication
We check whether the endpoint answers without credentials and whether auth headers are even in play — the second-most-exploited API weakness.
Authorization (BOLA)
Broken Object Level Authorization is the #1 API risk. We flag it for manual verification and explain exactly how to prove ownership on every request.
Configuration
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS and TLS are inspected from the live response.
Rate limiting
We look for X-RateLimit / Retry-After signals — their absence is a direct route to brute-force, credential-stuffing and resource exhaustion.
Data exposure
The response body is pattern-scanned for tokens, keys, PII, private keys and stack traces that should never leave your server.
Injection surface
We surface where input validation is required and map each risk to its CWE and OWASP category with concrete remediation.
OWASP API Security Top 10 (2023)
The definitive risk taxonomy for APIs. Each card lists the compliance controls that reference it — the language your auditors already speak.
Broken Object Level Authorization
Endpoints expose object identifiers, creating a wide attack surface for cross-tenant access.
Broken Authentication
Authentication mechanisms implemented incorrectly let attackers assume identities.
Broken Object Property Level Authorization
Missing property-level checks lead to excessive data exposure or mass assignment.
Unrestricted Resource Consumption
No limits on request size/rate opens the door to DoS and cost-inflation abuse.
Broken Function Level Authorization
Complex role hierarchies let users reach admin functions they should not.
Unrestricted Access to Sensitive Business Flows
Business flows lacking anti-automation are abused at scale (scalping, spam).
Server Side Request Forgery
Fetching remote resources without validating the URI enables internal pivoting.
Security Misconfiguration
Missing headers, permissive CORS and weak TLS leave predictable openings.
Improper Inventory Management
Shadow and deprecated endpoints stay exposed without proper documentation.
Unsafe Consumption of APIs
Trusting third-party API data more than user input propagates their flaws to you.
Frequently asked questions
What is the OWASP API Security Top 10?
How do I test my API for security vulnerabilities?
What is Broken Object Level Authorization (BOLA)?
Is this API security scanner free to use?
Can I test GraphQL APIs with this scanner?
What security headers should my API have?
How do I protect my API from rate limiting attacks?
What is the difference between authentication and authorization?
How can I prevent SQL injection in my API?
What makes JWT tokens secure?
Secure your APIs before attackers test them for you
Scan on every deploy, wire it into CI, and hand your team findings that already come with the fix. Free, instant, no signup.
Similar Calculators
More tools in the same category
AI Prompt Cost Estimator
Calculate API costs for GPT-4o, Claude, Gemini, Llama & 25+ AI models with real-time token counting
Meeting Cost Calculator
Real-time meeting expense tracker with shame dashboard and productivity metrics
SSL/TLS Certificate Analyzer
Analyze SSL/TLS certificate security
Security Headers Scanner
Scan HTTP security headers
OWASP Compliance Checker
Check for OWASP top 10 vulnerabilities
Container Security Scanner
Scan Docker containers for vulnerabilities
Often Used Together
Complementary tools for complete analysis
Related Articles
Dive deeper with our expert guides and tutorials related to API Security Scanner