CRITICAL
AP101
Broken Access Control
Missing auth decorators, unauthenticated database writes, IDOR without ownership checks.
>_ Security Rules
8 Free Rules + 10 Pro Rules.
Free tier: 8 security rules (AP001–AP008) + Multi-language & framework support. Pro: Advanced OWASP op 10 rules + 30+ secrets detection patterns (AP201) .
Zero False Positives
Reliable security alerts.
Auto Remediation
We write the PR for you.
100% Local-First
Code stays on-prem.
2-Minute Setup
Instant posture audits.
Core Security Rules
EXPOSURE • HIGH
FREE
AP001: Unintentional Public Access
Detects endpoints accessible without authentication but lacking an explicit [AllowAnonymous] attribute. Forces intentional security decisions.
// Flagged - no explicit authorization intent
[ApiController]
public class UsersController {
[HttpGet]
public IActionResult GetUsers() { }
}
EXPOSURE • HIGH
FREE
AP002: Anonymous Write Operations
Catches [AllowAnonymous] on POST, PUT, DELETE, and PATCH operations. Prevents accidental exposure of modification endpoints.
// Dangerous - anonymous write access
[AllowAnonymous]
[HttpPost]
public IActionResult CreateUser() { }
CRITICAL VULNERABILITY
CONSISTENCY • CRITICAL
AP004: Missing Auth on Writes
The most critical rule: public write operations without any authorization attributes. Write operations should always have explicit authorization. No exceptions.
// CRITICAL - No auth on write operation
app.post('/orders', (req, res) => {
// create order logic
});
// Fixed - with auth middleware
app.post('/orders', authMiddleware, (req, res) => {
// protected logic
});
Advanced Detection Engine (Pro)
HIGH
AP102
Cryptographic Failures
Weak hashing (MD5/SHA1), hardcoded crypto keys, sensitive data logging.
CRITICAL
AP103
Injection Vulnerabilities
SQL injection, command injection, insecure deserialization, eval/exec misuse.
HIGH
AP104
Insecure Design
Missing CSRF protection, missing input validation, missing rate limiting.
MEDIUM
AP105
Security Misconfiguration
XXE vulnerabilities, permissive CORS, debug mode enabled, exposed admin endpoints.
MEDIUM
AP106
Vulnerable Components
Legacy API patterns, deprecated libraries, outdated endpoints.
HIGH
AP107
Authentication Failures
Missing audit logging on destructive operations, plaintext password comparison.
HIGH
AP108
SSRF Vulnerabilities
requests/urllib with user input, URL construction from untrusted variables.
CRITICAL
AP201
Secrets in Code
Detects 30+ secret patterns: AWS, Azure, GCP keys, GitHub tokens, database credentials, JWT secrets.
100% Local Analysis — Your code never leaves your machine
Free vs Pro Comparison
Choose the edition that fits your security needs
| Feature | Free | Pro | Enterprise |
|---|---|---|---|
| 8 Authorization Rules (AP001–AP008) | check_circle | check_circle | check_circle |
| OWASP Top 10 Rules (AP101–AP108) | remove | check_circle | check_circle |
| Secrets Detection (AP201) | remove | check_circle | check_circle |
| Deep Source Code Analysis | remove | check_circle | check_circle |
| File-Level Scanning | remove | check_circle | check_circle |
| Diff Mode | remove | check_circle | check_circle |
| Historical Tracking | remove | check_circle | check_circle |
| Risk Scoring | remove | check_circle | check_circle |
| 100% Local Analysis | check_circle | check_circle | check_circle |
| CI/CD Integration | check_circle | check_circle | check_circle |
| Priority Support | remove | remove | check_circle |
| Custom Rule Development | remove | remove | check_circle |
| Site Licenses | remove | remove | check_circle |
| Price | $0 | $12/mo | Contact us |
APIPOSTURE PRO
Advanced OWASP Top 10 + Secrets Detection
Pro tier adds deep source code inspection beyond endpoint metadata. Detects SQL injection, XSS, weak crypto, secrets, and more.
CRITICAL AP101
Broken Access Control
Missing @ PreAuthorize, unauthenticated database writes, IDOR without ownership checks.
CRITICAL AP103
Injection Vulnerabilities
SQL injection, command injection via Runtime.exec, insecure deserialization.
CRITICAL AP201
Secrets in Code
Detects 30+ secret patterns: AWS keys, GitHub tokens, database credentials.
Built for Private Analysis
100% Local Analysis
Your code never leaves your machine. Analysis is performed entirely on your infrastructure, ensuring maximum privacy and compliance with data sovereignty laws.
CI/CD Integration
Inject security into your existing workflows. Native support for GitHub Actions, GitLab CI, and Azure DevOps. Fail builds when critical vulnerabilities are detected.
$ apiposture-pro scan .
[AP101] Critical: Missing auth on /api/entries
[AP102] High: Weak hashing (MD5) in /api/users/hash
[AP201] Critical: AWS Access Key in appsettings.json
Scanned 42 endpoints + 18 files in 2.3s
Audit-Ready Status
“Caught three critical auth misconfigurations in our first scan that had been in production for months. The zero-false-positive promise is real — every finding was actionable.”
“Pro tier's secrets detection alone has been worth it. Found hardcoded AWS keys in legacy code we never would have caught in manual review. Saved us from a potential breach.”
“Our legal team wouldn't approve cloud-based scanners. ApiPosture's local-first approach means we can automate security scanning without compliance headaches. Game-changer.”
“Two minutes after running for the first time, AP004 flagged a public DELETE endpoint with no auth in our orders service. Would have been catastrophic in production.”
“The Pro tier covers things we'd need 3–4 separate tools to catch. SQL injection patterns, SSRF detection, secrets — all in one scan. The OWASP coverage is exceptional.”
“Ran the first scan before my coffee was ready. Free tier rules are genuinely useful, not crippled. Upgraded to Pro the same day. Setup was literally 2 minutes.”
ApiPosture supports .NET (ASP.NET Core), Go (Gin, Echo, Chi, Fiber, net/http), Python (FastAPI, Django REST Framework, Flask), Node.js (Express, NestJS, Fastify, Koa), Java (Spring Boot), and PHP (Laravel, Symfony, Slim). New language editions are released regularly.
No. All analysis is performed 100% locally on your machine or CI/CD runner. No code, findings, or project data is ever uploaded to external servers. There is no telemetry or usage tracking.
The free tier includes 8 authorization rules (AP001–AP008) covering unintentional public access, anonymous write operations, authorization conflicts, missing auth on writes, role sprawl, weak role names, sensitive route exposure, and Minimal API gaps. CI/CD integration is also included for free.
Pro adds OWASP Top 10 rules (AP101–AP108) with deep source code inspection of method bodies, secrets detection (AP201) covering 30+ secret patterns, file-level scanning of Startup.cs/Program.cs/Razor views, diff mode for tracking improvements over time, historical tracking with SQLite, and automated risk scoring.
Enterprise includes all Pro features plus priority support, custom rule development tailored to your stack and conventions, and site licenses for unlimited team usage. Contact us to discuss your requirements.
ApiPosture supports GitHub Actions, GitLab CI, and Azure DevOps. Set the APIPOSTURE_LICENSE_KEY environment variable and add a scan step with --fail-on high to block builds when critical vulnerabilities are detected. Full examples are available in the documentation.
>_ Get Started
Ready to secure your API?
Start with the free tier or upgrade to Pro for OWASP Top 10 + secrets detection.