APIsec as a API security dashboard

A dashboard for API security provides a centralized view of risk across multiple APIs. middleBrick functions as a self-service scanner that submits a URL and returns a letter-grade risk score with prioritized findings. The interface supports review of scan results, tracking score trends over time, and downloading branded compliance PDFs for documentation purposes.

middleBrick operates as a black-box scanner with no agents, no code access, and no SDK integration. It works with any language, framework, or cloud environment because it interacts only through the network interface. Scans complete in under a minute using read-only methods such as GET and HEAD, with text-only POST reserved for LLM probes. This approach limits impact on production systems while still surfacing observable behaviors.

The scanner evaluates 12 categories aligned to the OWASP API Top 10 (2023), including authentication bypass, JWT misconfigurations, IDOR, privilege escalation, input validation, rate limiting, data exposure, encryption issues, SSRF, inventory management, unsafe consumption, and LLM/AI security. Findings map directly to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). For other controls, the tool helps you prepare for audits by aligning with security controls described in HIPAA, GDPR, ISO 27001, NIST, CCPA, NIS2, DORA, FedRAMP, DPDP, APPI, PDPA, PIPEDA, PIPA, UK DPA, LGPD, SOX, GLBA, and FERPA, supplying evidence that an auditor can review.

Authenticated scanning is available from the Starter tier and above, supporting Bearer tokens, API keys, Basic auth, and cookies. Domain verification is enforced through a DNS TXT record or an HTTP well-known file to ensure only the domain owner can scan with credentials. The scanner forwards a strict header allowlist limited to Authorization, X-API-Key, Cookie, and X-Custom-* headers. OpenAPI 3.0, 3.1, and Swagger 2.0 specifications are parsed with recursive $ref resolution, and findings are cross-referenced against the spec to identify undefined security schemes, sensitive fields, deprecated operations, and missing pagination.

Pro tier includes continuous monitoring with scheduled rescans every 6 hours, daily, weekly, or monthly. Diff detection highlights new findings, resolved findings, and score drift between scans. Alerts are sent via email at a rate-limited pace of 1 per hour per API, and HMAC-SHA256 signed webhooks disable automatically after 5 consecutive failures. Integrations include a Web Dashboard for scanning and report management, a CLI via the middlebrick npm package, a GitHub Action that fails CI/CD builds when scores drop below a threshold, an MCP Server for use with AI coding assistants, and a programmatic API for custom integrations.