Domain 06 / 12

API & Protocols security audit

Secure every endpoint against BOLA, over-exposure and abuse — across REST, GraphQL, gRPC and WebSocket.

  • 49 checks
  • REST · GraphQL · gRPC · WebSocket

Run the audit See example checks

What securmyapp checks

Inside the API & Protocols domain

This is the API & Protocols domain of securmyapp — the free, open-source, 100% defensive security auditor for Claude Code that runs 598 checks across 12 domains. The API & Protocols domain applies the OWASP API Security Top 10 across every interface you expose. securmyapp verifies authentication on all endpoints, tests broken object-level authorization (BOLA), checks for excessive data exposure and missing rate limits, inventories shadow and zombie APIs, and hardens GraphQL (introspection, depth limits), gRPC and WebSocket surfaces.

Coverage areas

49 atomic checks span these sub-domains.

  • REST

    Auth on every endpoint, allowed methods, content-type lockdown, pagination limits.

  • BOLA & data exposure

    Cross-user object access and excessive field exposure.

  • Rate limiting

    Per-user/per-key limits against abuse and DoS.

  • API inventory

    Shadow, zombie and unversioned API detection.

  • GraphQL

    Introspection disabled in prod, depth and complexity limits.

  • gRPC & WebSocket

    Transport, auth and message-handling hardening.

Example checks

A sample of the real checks run in this domain — each mapped to a standard and a fix.

Example API & Protocols security checks with severity, what they detect, and their standard reference.
CheckSeverityDetectsReference
Auth on all REST endpointsCriticalSensitive endpoints reachable without authentication.API2:2023 · ASVS V4
BOLA at API resource levelCriticalUnauthorized cross-user object access on API routes.API1:2023 · CWE-639
Excessive data exposure (responses)HighAPIs returning more fields than the client needs (PII leak).API3:2023 · CWE-213
Rate limiting / anti-automationHighMissing per-user/per-key limits enabling abuse and DoS.API4:2023 · CWE-770
GraphQL depth limitHighDeeply nested queries with no depth cap — a DoS vector.API4:2023 · CWE-770
GraphQL introspection disabled in prodMediumIntrospection exposing the full schema in production.WSTG-APIT-01 · CWE-200

Vulnerabilities we catch

  • Broken object-level authorization (BOLA) — OWASP API #1
  • Unauthenticated sensitive endpoints
  • Excessive data exposure and PII over-sharing in responses
  • Missing rate limits enabling abuse and resource exhaustion
  • Shadow, zombie and unversioned APIs
  • GraphQL introspection and unbounded query depth in production

How remediation works and standards

Detect → explain → fix → verify

How remediation works here

Every finding in this domain is explained in plain language with its reference, fixed with a concrete change to the exact file and line, committed as a reversible Git commit, then re-checked in a real browser against a healthy baseline — so a security fix never breaks your app.

Standards behind this domain

Mapped to recognized references

  • OWASP WSTG
  • OWASP ASVS 5.0
  • OWASP API Top 10
  • OWASP MASVS 2.1
  • CIS Benchmarks
  • MITRE ATT&CK
  • CWE

FAQ

API & Protocols — questions & answers

Which protocols does it cover?

REST, GraphQL, gRPC and WebSocket. Checks map directly to the OWASP API Security Top 10 (2023), including BOLA (API1), broken authentication (API2), excessive data exposure (API3) and unrestricted resource consumption (API4).

Can it find shadow or zombie APIs?

Yes. An inventory check catalogs API versions and surfaces shadow and zombie endpoints — undocumented or forgotten routes that escape governance (OWASP API9).

Does it harden GraphQL specifically?

It verifies introspection is disabled in production and that query depth and complexity are capped, preventing schema disclosure and depth-based denial of service.

Get started

Audit your app in the next five minutes

Install the plugin in Claude Code, then type /securmyapp in your project. The full audit starts on its own.

Claude Code — one-time setup
/plugin marketplace add mafady/securmyapp
/plugin install securmyapp@mafady-security
/reload-plugins

View on GitHub Browse the domains

Requires Node.js 18+, Claude Code, and a paid Claude subscription. Semgrep & Playwright recommended.