A comprehensive API security testing and vulnerability detection platform built for developers who care about security.
SentinelAPI helps you identify and fix API vulnerabilities before they become security incidents. Test individual endpoints and monitor traffic in real-time with automated threat detection.
SentinelAPI is a security-first API testing platform that provides comprehensive security scanning capabilities similar to OWASP ZAP and Burp Suite - but simpler, more focused, and developer-friendly.
Modern web applications rely heavily on APIs, but securing them is complex:
- π΄ Authentication vulnerabilities are common but hard to detect manually
- π΄ Manual security testing is tedious, error-prone, and doesn't scale
- π΄ Lack of actionable guidance - tools find issues but don't explain how to fix them
- π΄ Inconsistent security practices lead to vulnerabilities slipping into production
β
Automated Security Testing - Scan endpoints with comprehensive vulnerability checks
β
Deep Authentication Analysis - Specialized testing for OAuth 2.0, JWT, API keys, and sessions
β
Actionable Remediation - Every vulnerability comes with clear fix instructions and code examples
β
Real-Time Monitoring - Live traffic analysis with automatic threat blocking
β
Detailed Reports - Export comprehensive security reports in JSON and HTML formats
β
Developer-Friendly - Beautiful UI, clear reports, and seamless workflow integration
- Quick vulnerability scan for individual API endpoints
- Custom headers and authentication configuration
- Real-time scan progress with detailed feedback
- Support for all HTTP methods (GET, POST, PUT, DELETE, PATCH, etc.)
- Instant vulnerability reports with severity ratings
- Authorization Code flow validation
- Client Credentials flow testing
- Implicit flow vulnerability detection
- Token expiration and refresh handling
- PKCE implementation verification
- Algorithm verification (detect 'none' algorithm attacks)
- Signature validation with secret verification
- Claims inspection and sensitive data detection
- Expiration checking and timing attacks
- Token manipulation testing
- Key exposure in URLs (insecure transmission)
- Key rotation detection
- HTTPS enforcement validation
- Key location security (header vs query parameter)
- Cookie security flags (HttpOnly, Secure, SameSite)
- Session fixation vulnerability detection
- Session timeout configuration testing
- Injection Attacks - SQL injection, NoSQL injection, command injection
- CORS Misconfigurations - Overly permissive CORS policies
- SSL/TLS Issues - Certificate validation, weak ciphers, protocol versions
- Security Headers Analysis - Missing or misconfigured headers (CSP, HSTS, X-Frame-Options)
- Rate Limiting Detection - DoS vulnerability testing
- Sensitive Data Exposure - Detect exposed secrets, API keys, PII in responses
- Broken Access Control - Authorization bypass attempts
- XSS Protection - Cross-site scripting vulnerability detection
Route your API traffic through SentinelAPI for live monitoring:
- Automatic threat detection and blocking
- Live traffic dashboard with WebSocket updates
- Request/response logging to database
- Configurable rate limiting per IP
- Target URL whitelist for security
Real-time visibility into API security with WebSocket-powered updates:
- Live Metrics - Requests per minute, blocked threats, response times, active connections
- Request Stream - Real-time feed of all API requests with full details
- Security Alerts - Instant notifications for blocked threats and suspicious activity
- Threat Distribution - Visual breakdown of threat levels (Low, Medium, High, Critical)
- Historical Data - Time-series analytics and top IP tracking
- Auto-Reconnect - Resilient WebSocket connection with automatic recovery
- Response time tracking and analytics
- Comprehensive vulnerability lists with severity indicators
- Detailed descriptions with impact analysis
- Step-by-step remediation instructions
- Code examples and security references (CWE, OWASP)
- Export reports as JSON or HTML
- Professional HTML reports with visual charts and styling
- Risk score calculation based on vulnerability severity
- Automated security recommendations
- Live statistics and metrics
- Active scan monitoring
- Threat level distribution charts
- Request timeline visualization
- Top requesting IPs
- Recent threats feed
- WebSocket-based real-time updates
- Dynamic security rule configuration
- Rate limit customization
- IP whitelist/blacklist management
- Security feature toggles
- Proxy target configuration
- All settings accessible via UI and API
Backend
- Runtime: Node.js (v18+)
- Framework: Express.js 5
- Database: MongoDB (with Mongoose ODM)
- Real-time: Socket.io (WebSocket)
- Authentication: JWT-based auth
- Proxy: http-proxy-middleware
- Rate Limiting: express-rate-limit
- Logging: Winston
Frontend
- Framework: React 18
- Build Tool: Vite
- Styling: Tailwind CSS
- State Management: React Hooks
- Real-time: Socket.io-client
- HTTP Client: Axios
DevOps
- Version Control: Git
- Package Manager: npm
- Environment: dotenv
- Testing: Jest (backend), Vitest (frontend)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Client Application β
β (Browser / API Client / CLI) β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SentinelAPI Server β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Express.js Application β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Security Middleware (SQL, XSS, NoSQL, etc) β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Rate Limiting Middleware β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β Proxy Middleware β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β β Scanner β β Logger β β WebSocket β β
β β Service β β Service β β Service β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ β
β ββββββββββββββββ β
β β Report β β
β β Generator β β
β ββββββββββββββββ β
ββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β MongoDB Database β
β β’ Request Logs β’ Security Config β’ Scan Results β
β β’ Admin Users β’ API Keys β’ Analytics β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- Test APIs during development
- Find security issues before code review
- Learn secure coding practices
- Get actionable fix instructions
- No security expertise needed
- Quick API security audits
- Comprehensive vulnerability reports
- Export reports for compliance
- Monitor production APIs (proxy mode)
- Automated penetration testing
- Integrate into CI/CD pipelines (coming soon)
- Automated security testing
- Track security improvements over time
- Monitor API health and performance
- Add security testing to test suites
- Regression testing for security fixes
- Validate authentication flows
- Test rate limiting and DDoS protection
- Real-time SQL injection detection
- XSS attack prevention
- NoSQL injection blocking
- Command injection detection
- Path traversal prevention
- CORS misconfiguration detection
- IP-based rate limiting
- Configurable limits per endpoint type
- Whitelist bypass support
- Standard rate limit headers
- DDoS protection
- All requests logged to database
- Detailed threat information
- Response time tracking
- IP address tracking
- User agent logging
- Request/response body capture
- Target URL whitelist
- HTTPS enforcement
- Request validation
- Response scanning
- Error handling
- Timeout protection
- Response Time: < 100ms for most endpoints
- Proxy Overhead: < 50ms additional latency
- Concurrent Requests: Supports 1000+ concurrent connections
- Database: Optimized indexes for fast queries
- Rate Limiting: In-memory store for minimal overhead
- WebSocket: Real-time updates with minimal bandwidth
Last Updated: February 19, 2026
Version: 1.0.0
Status: Working β