Your /admin endpoint has no auth. In production.

Find unprotected API routes before attackers do

API endpoint security auditor. Scans your route files for missing auth, rate limits, CORS misconfigs, and input validation gaps. All locally, pre-commit.

Get APIShield Pro View on GitHub
$ brew install lefthook && clawhub install apishield click to copy
$ git commit -m "add user endpoints"
 
🔒 APIShield: Scanning route files...
 
  !! CRITICAL   routes/admin.js:14
     POST /admin/users — No auth middleware detected
     Risk: Unauthenticated admin access
 
  !  HIGH         routes/api.js:28
     GET /api/users — No rate limiting
     Risk: Enumeration/DoS attack vector
 
  !  MEDIUM      routes/api.js:45
     Access-Control-Allow-Origin: *
     Risk: Overly permissive CORS
 
  Security Score: 34/100 (CRITICAL)
  3 issues found (1 critical, 1 high, 1 medium)
  Commit blocked.
43%
of API breaches from missing auth
$6.1M
avg cost of an API breach
3 in 5
APIs with a critical vulnerability

How it works

1

Install

One command installs APIShield and configures pre-commit hooks via Lefthook. Works with any Node, Python, Go, or Ruby project.

clawhub install apishield
2

Build APIs

Write your routes and endpoints as usual. Express, Fastify, Flask, Django, Gin, Rails — APIShield supports them all.

router.post('/admin/users', handler)
3

Audit

Every commit triggers a security scan. Missing auth, open CORS, no rate limits — all caught before code leaves your machine.

git commit -m "ship it"

Comprehensive API security checks

🛡️

Auth Middleware Detection

Detects routes missing authentication middleware. Catches unprotected admin endpoints, public access to sensitive data, and missing JWT/session validation.

⏱️

Rate Limit Analysis

Identifies endpoints without rate limiting. Prevents brute force attacks, enumeration, and DoS vectors on login, search, and data-fetching routes.

🌐

CORS Validation

Flags overly permissive CORS configurations like wildcard origins, missing credential restrictions, and exposed headers that leak sensitive data.

🔍

Input Validation

Checks that request bodies, query params, and URL parameters are validated and sanitized. Catches SQL injection, XSS, and prototype pollution vectors.

📋

API Inventory

Automatically catalogs every endpoint across your codebase. Full inventory of routes, methods, middleware chains, and security posture at a glance.

🎯

OWASP Top 10

Maps every finding to the OWASP API Security Top 10. Know exactly which compliance categories your API fails and how to remediate them.

How APIShield compares

The only pre-commit API security scanner that runs 100% locally.

Feature APIShield StackHawk Snyk API OWASP ZAP
Price Free / $19 / $39 $35/dev/mo $25/dev/mo Free
Runs Locally Yes Partial No (SaaS) Yes
Pre-commit Hook Yes No No No
Static Analysis Yes No (DAST) Yes No (DAST)
Multi-framework (6+) Yes Partial Yes Partial
Zero Telemetry Yes No No Yes
OWASP Mapping Yes Yes Partial Yes
Auth Detection Yes Partial Partial No
API Inventory Yes Yes Yes No

Simple, transparent pricing

Start free. Upgrade when your API surface grows.

Free
$0
  • Scan up to 5 route files
  • Basic auth detection
  • Console output
  • All supported frameworks
Install Free
Pro
$19/mo
  • Unlimited scanning
  • 20+ security checks
  • Rate limit analysis
  • CORS validation
  • Input validation checks
  • CI/CD integration
  • HTML & JSON reports
Get Pro
Team
$39/mo
  • Everything in Pro
  • 25 seats included
  • API inventory & cataloging
  • Cross-service auth analysis
  • OWASP Top 10 mapping
  • Priority support
Get Team

Get API security tips & APIShield updates

No spam. One email per week max. Unsubscribe anytime.

Your API has unprotected routes. APIShield finds them before attackers do.

Scan your endpoints in seconds. Free, local, and instant.

$ brew install lefthook && clawhub install apishield click to copy