>_ Security Rules

8 Free Rules + 10 Pro Rules.

Free tier: 8 security rules (AP001–AP008) + Multi-language & framework support. Pro: Advanced OWASP op 10 rules + 30+ secrets detection patterns (AP201) .

Free vs Pro Comparison

Choose the edition that fits your security needs

Feature Free Pro
8 Authorization Rules (AP001-AP008)
OWASP Top 10 Rules (AP101-AP108)
Secrets Detection (AP201)
Deep Source Code Analysis
File-Level Scanning
Diff Mode
Historical Tracking
Risk Scoring
100% Local Analysis
CI/CD Integration
Price $0 $12/mo
View Full Pricing
>_ ApiPosture Pro

Advanced OWASP Top 10 + Secrets Detection

Pro tier adds deep source code inspection beyond endpoint metadata. Detects SQL injection, XSS, weak crypto, secrets, and more.

Upgrade to Pro - $12/month
CRITICAL AP101

Broken Access Control

Missing [Authorize], database writes without auth, IDOR without ownership checks

HIGH AP102

Cryptographic Failures

Weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging

CRITICAL AP103

Injection Vulnerabilities

SQL injection, XSS in Razor, insecure deserialization, Process.Start

HIGH AP104

Insecure Design

Missing CSRF tokens, missing ModelState validation, missing rate limiting

MEDIUM AP105

Security Misconfiguration

XXE vulnerabilities, permissive CORS, missing HTTPS/HSTS, debug endpoints

MEDIUM AP106

Vulnerable Components

Legacy API patterns, deprecated frameworks, outdated endpoints

HIGH AP107

Authentication Failures

Missing audit logging on DELETE, plaintext password comparison

HIGH AP108

SSRF Vulnerabilities

HttpClient/WebClient with user input, URI construction from variables

CRITICAL AP201

Secrets in Code

Detects 30+ secret patterns: AWS, Azure, GCP keys, GitHub tokens, database credentials, JWT secrets

🔒 100% Local Analysis - Your code never leaves your machine

>_ Free Rules (All Languages)

8 Authorization Rules

Purpose-built for API authorization patterns. Zero false positives.

[EXPOSURE] HIGH

AP001: Unintentional Public Access

Detects endpoints that are accessible without authentication but lack an explicit [AllowAnonymous] attribute.

This forces developers to make intentional decisions about public access. Every public endpoint should have explicit documentation of its intent.

// Flagged - no explicit authorization intent
[ApiController]
public class UsersController
{
[HttpGet]
public IActionResult GetUsers() { }
}
 
// Fixed - explicit intent
[ApiController]
[AllowAnonymous] // or [Authorize]
public class UsersController
// Dangerous - anonymous write access
[AllowAnonymous]
[HttpPost]
public IActionResult CreateUser() { }
 
[AllowAnonymous]
[HttpDelete("{id}")]
public IActionResult DeleteUser() { }
[EXPOSURE] HIGH

AP002: Anonymous Write Operations

Catches [AllowAnonymous] on POST, PUT, DELETE, and PATCH operations.

Anonymous write access is almost never intentional. This rule prevents accidental exposure of data modification endpoints.

[CONSISTENCY] MEDIUM

AP003: Authorization Conflicts

Detects when action-level [AllowAnonymous] overrides controller-level [Authorize].

This pattern often indicates copy-paste errors or incomplete refactoring. It creates security holes in otherwise protected controllers.

[Authorize] // Controller is protected
public class AdminController
{
[AllowAnonymous] // Conflict!
[HttpGet("stats")]
public IActionResult GetStats() { }
}
// CRITICAL - No auth on write operation
[ApiController]
public class OrdersController
{
[HttpPost]
public IActionResult CreateOrder() { }
 
[HttpDelete("{id}")]
public IActionResult DeleteOrder() { }
}
[CONSISTENCY] CRITICAL

AP004: Missing Auth on Writes

The most critical rule: public write operations without any authorization attributes. This is your last line of defense.

Write operations (POST, PUT, DELETE, PATCH) should always have explicit authorization. No exceptions.

[PRIVILEGE] LOW

AP005: Role Sprawl

Flags endpoints with 3 or more roles assigned. This is a code smell indicating that policy-based authorization might be a better fit.

Excessive role requirements make code harder to maintain and reason about. Consider consolidating into policies.

// Role sprawl detected
[Authorize(Roles = "Admin,Manager,Supervisor,TeamLead")]
public IActionResult GetReport() { }
 
// Better - use policy
[Authorize(Policy = "CanViewReports")]
public IActionResult GetReport() { }
// Generic role names
[Authorize(Roles = "Admin")]
[Authorize(Roles = "User")]
[Authorize(Roles = "Manager")]
 
// Descriptive role names
[Authorize(Roles = "OrderManager")]
[Authorize(Roles = "ReportViewer")]
[Authorize(Roles = "InventoryAuditor")]
[PRIVILEGE] LOW

AP006: Weak Role Names

Detects generic roles like "User", "Admin", "Guest", and "Manager". These names don't convey specific permissions.

Descriptive role names like "OrderManager" or "ReportViewer" make authorization logic self-documenting.

[SURFACE] MEDIUM

AP007: Sensitive Routes Exposed

Flags public routes containing sensitive keywords like /admin, /debug, /export, /config.

The keyword list is customizable via configuration. Add your own patterns to match your application's conventions.

// Sensitive route patterns
[HttpGet("/admin/users")]
[HttpGet("/debug/logs")]
[HttpGet("/export/data")]
[HttpGet("/config/settings")]
[HttpGet("/internal/metrics")]
// Minimal API without auth
app.MapGet("/users", GetUsers);
app.MapPost("/users", CreateUser);
 
// Fixed - with RequireAuthorization
app.MapGet("/users", GetUsers)
.RequireAuthorization();
app.MapPost("/users", CreateUser)
.RequireAuthorization();
[SURFACE] HIGH

AP008: Minimal API Gaps

Detects Minimal API endpoints missing .RequireAuthorization() method chains.

Full support for modern .NET patterns including route groups and endpoint filters.

>_ Get Started

Ready to secure your API?

Start with the free tier or upgrade to Pro for OWASP Top 10 + secrets detection.

Get Started - Free View Pricing

Manage cookie preferences

Choose which optional cookies to allow. You can change this any time.