API Security

Secure every API.
OWASP Top 10 covered.

APIs are the #1 attack vector. codelake discovers every endpoint in your code and profiles its security posture automatically.

Unlike runtime API scanners that need traffic to analyze, codelake finds endpoints by reading your source code — discovering routes, controllers, middleware chains, and data exposure patterns before a single request is made.

Scan your APIs free Try FreeScan first
codelake scan --api .

$ codelake scan --api .

 

▸ API security analysis running...

  Discovered 47 API endpoints

  Mapping auth middleware chains...

  Analyzing data exposure per endpoint...

  Checking OWASP API Top 10...

 

CRITICAL  BOLA — GET /api/users/{id}

  ↳ No ownership check on user ID parameter

CRITICAL  Missing Auth — POST /api/webhooks

  ↳ No auth middleware on mutation endpoint

HIGH     Mass Assignment — PUT /api/users/{id}

  ↳ Request body mapped directly to model

HIGH     Excessive Data — GET /api/users

  ↳ Returns password_hash, internal_id, SSN

 

✓ 47 endpoints · 14 findings · 4 critical · 6 high

Auto-Discovery

Every endpoint. Automatically found.

codelake reads your source code — route files, controller decorators, OpenAPI specs, and framework conventions — to build a complete inventory of every API endpoint in your application.

  • check_circle

    Framework-aware route detection

    Understands route definitions in Express, Laravel, Django, Spring Boot, Rails, FastAPI, Gin, and 15+ more frameworks.

  • check_circle

    Middleware chain mapping

    Traces which middleware (auth, rate limiting, CORS, validation) is applied to each endpoint — and which is missing.

  • check_circle

    Request/response body analysis

    Identifies what data each endpoint accepts and returns — flagging sensitive fields that shouldn't be exposed.

  • check_circle

    OpenAPI spec validation

    If you have an OpenAPI/Swagger spec, codelake validates it against your actual code — catching spec drift and undocumented endpoints.

API Endpoint Inventory

GET /api/users lock verified_user
GET /api/users/{id} lock warning
POST /api/users lock verified_user
PUT /api/users/{id} lock warning
POST /api/webhooks lock_open warning
DEL /api/users/{id} lock verified_user
lock Auth   verified_user Secure lock_open No Auth   warning Issue

OWASP API Top 10 (2023)

Complete coverage of the OWASP API Security Top 10.

codelake checks every API endpoint against all 10 categories of the OWASP API Security Top 10 — the industry standard for API security risks.

1

Broken Object Level Authorization

Detects endpoints that accept resource IDs without verifying the requesting user owns or has access to that resource.

2

Broken Authentication

Finds endpoints with weak or missing authentication, insecure token handling, and missing rate limiting on auth flows.

3

Broken Object Property Level Auth

Catches mass assignment vulnerabilities and excessive data exposure where internal fields are returned in API responses.

4

Unrestricted Resource Consumption

Identifies endpoints without rate limiting, pagination, or request size limits that could be abused for DoS or data harvesting.

5

Broken Function Level Auth

Detects admin functions accessible without proper role checks, and inconsistent authorization across related endpoints.

6

Unrestricted Access to Sensitive Flows

Flags business-critical flows (payment, account changes) that lack additional verification like re-authentication or MFA.

7

Server-Side Request Forgery

Finds endpoints that accept URLs or hostnames from user input and make server-side requests without validation.

8

Security Misconfiguration

Checks for verbose error messages, missing CORS restrictions, default credentials, unnecessary HTTP methods, and debug mode.

9

Improper Inventory Management

Detects undocumented endpoints, shadow APIs, deprecated but still accessible routes, and version inconsistencies.

10

Unsafe Consumption of APIs

Identifies third-party API calls without proper validation, timeout configuration, or error handling for external service responses.

Endpoint Security Profile

GET /api/users/{id}

Medium Risk
Authentication check_circle Bearer Token
Authorization cancel No ownership check
Input Validation check_circle UUID validated
Rate Limiting check_circle 100 req/min
Data Exposure warning Returns email, phone
Response Filtering cancel No field selection

Endpoint Security Profiles

A security posture for every endpoint.

Every API endpoint gets a detailed security profile that evaluates authentication, authorization, input validation, rate limiting, and data exposure — giving you a clear picture of each endpoint's risk level.

  • check_circle

    Per-endpoint risk scoring

    Each endpoint gets a risk score based on its security controls, data sensitivity, and attack surface exposure.

  • check_circle

    Sensitive data flagging

    Automatically identifies PII, financial data, and internal fields in API responses that shouldn't be exposed.

  • check_circle

    Remediation guidance

    Actionable recommendations for each finding — add auth middleware, implement field selection, add ownership checks.

Framework Support

Deep understanding of your API framework.

codelake doesn't just parse route strings — it understands how each framework handles routing, middleware, authentication, and serialization.

Express.js

Node.js

FastAPI

Python

Django REST

Python

Laravel

PHP

Spring Boot

Java

NestJS

TypeScript

Rails

Ruby

Gin / Echo

Go

Secure every API endpoint. Automatically.

Discover all your API endpoints and get a complete OWASP API Top 10 assessment in minutes. No traffic analysis needed — works directly from your source code.

Start free — scan your APIs View pricing