Domain 06 / 12
API & Protocols security audit
Secure every endpoint against BOLA, over-exposure and abuse — across REST, GraphQL, gRPC and WebSocket.
- 49 checks
- REST · GraphQL · gRPC · WebSocket
What securmyapp checks
Inside the API & Protocols domain
This is the API & Protocols domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The API & Protocols domain applies the OWASP API Security Top 10 across every interface you expose. securmyapp verifies authentication on all endpoints, tests broken object-level authorization (BOLA), checks for excessive data exposure and missing rate limits, inventories shadow and zombie APIs, and hardens GraphQL (introspection, depth limits), gRPC and WebSocket surfaces.
Coverage areas
49 atomic checks span these sub-domains.
REST
Auth on every endpoint, allowed methods, content-type lockdown, pagination limits.
BOLA & data exposure
Cross-user object access and excessive field exposure.
Rate limiting
Per-user/per-key limits against abuse and DoS.
API inventory
Shadow, zombie and unversioned API detection.
GraphQL
Introspection disabled in prod, depth and complexity limits.
gRPC & WebSocket
Transport, auth and message-handling hardening.
Example checks
A sample of the real checks run in this domain — each mapped to a standard and a fix.
| Check | Severity | Detects | Reference |
|---|---|---|---|
| Auth on all REST endpoints | Critical | Sensitive endpoints reachable without authentication. | API2:2023 · ASVS V4 |
| BOLA at API resource level | Critical | Unauthorized cross-user object access on API routes. | API1:2023 · CWE-639 |
| Excessive data exposure (responses) | High | APIs returning more fields than the client needs (PII leak). | API3:2023 · CWE-213 |
| Rate limiting / anti-automation | High | Missing per-user/per-key limits enabling abuse and DoS. | API4:2023 · CWE-770 |
| GraphQL depth limit | High | Deeply nested queries with no depth cap — a DoS vector. | API4:2023 · CWE-770 |
| GraphQL introspection disabled in prod | Medium | Introspection exposing the full schema in production. | WSTG-APIT-01 · CWE-200 |
Vulnerabilities we catch
- Broken object-level authorization (BOLA) — OWASP API #1
- Unauthenticated sensitive endpoints
- Excessive data exposure and PII over-sharing in responses
- Missing rate limits enabling abuse and resource exhaustion
- Shadow, zombie and unversioned APIs
- GraphQL introspection and unbounded query depth in production
How remediation works and standards
Detect → explain → fix → verify
How remediation works here
Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.
Standards behind this domain
Mapped to recognized references
- OWASP WSTG
- OWASP ASVS 5.0
- OWASP API Top 10
- OWASP MASVS 2.1
- CIS Benchmarks
- MITRE ATT&CK
- CWE
FAQ
API & Protocols — questions & answers
Which protocols does it cover?
REST, GraphQL, gRPC and WebSocket. Checks map directly to the OWASP API Security Top 10 (2023), including BOLA (API1), broken authentication (API2), excessive data exposure (API3) and unrestricted resource consumption (API4).
Can it find shadow or zombie APIs?
Yes. An inventory check catalogs API versions and surfaces shadow and zombie endpoints — undocumented or forgotten routes that escape governance (OWASP API9).
Does it harden GraphQL specifically?
It verifies introspection is disabled in production and that query depth and complexity are capped, preventing schema disclosure and depth-based denial of service.
Related domains
Get started
Audit your app in the next five minutes
Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins
View on GitHub Browse the domains
Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.