Last year, a friend's startup got hacked through a dependency with a known vulnerability.
The fix was available for 6 months. Nobody checked.
These 5 free APIs could have prevented it — and they take minutes to set up.
1. Have I Been Pwned — Check If Emails Were Breached
Troy Hunt's legendary service. Check any email against 13B+ breached accounts.
import requests
import hashlib
def check_password_pwned(password):
"""Check if a password appeared in data breaches (k-anonymity, safe)"""
sha1 = hashlib.sha1(password.encode()).hexdigest().upper()
prefix, suffix = sha1[:5], sha1[5:]
resp = requests.get(f'https://api.pwnedpasswords.com/range/{prefix}')
for line in resp.text.splitlines():
hash_suffix, count = line.split(':')
if hash_suffix == suffix:
return int(count)
return 0
# Check (uses k-anonymity — your password is NEVER sent)
count = check_password_pwned('password123')
print(f'Found in {count:,} breaches') # Found in 123,456 breaches
How it works: Only the first 5 chars of the hash are sent. Your password stays local. Brilliant cryptographic design.
2. OSV.dev — Find Vulnerabilities in Any Package
Google's open source vulnerability database. Covers npm, PyPI, Go, Rust, and more.
def check_package(ecosystem, package, version):
"""Check if a specific package version has known vulnerabilities"""
resp = requests.post('https://api.osv.dev/v1/query', json={
'package': {
'name': package,
'ecosystem': ecosystem
},
'version': version
})
vulns = resp.json().get('vulns', [])
for v in vulns:
severity = v.get('database_specific', {}).get('severity', 'UNKNOWN')
print(f" [{severity}] {v['id']}: {v.get('summary', 'No description')[:80]}")
return vulns
# Check a package
print("Checking requests 2.25.0:")
check_package('PyPI', 'requests', '2.25.0')
Free, no key, no rate limits. Covers 40+ ecosystems.
3. VirusTotal — Scan Files and URLs
The industry standard for malware scanning. Free tier: 4 lookups/min.
VT_API_KEY = 'your_free_key' # Get at virustotal.com
def scan_url(url):
# Submit URL for scanning
resp = requests.post(
'https://www.virustotal.com/api/v3/urls',
headers={'x-apikey': VT_API_KEY},
data={'url': url}
)
analysis_id = resp.json()['data']['id']
# Get results
result = requests.get(
f'https://www.virustotal.com/api/v3/analyses/{analysis_id}',
headers={'x-apikey': VT_API_KEY}
)
stats = result.json()['data']['attributes']['stats']
print(f"Malicious: {stats['malicious']} | Clean: {stats['undetected']}")
scan_url('https://example.com')
Free key — register at virustotal.com.
4. Shodan InternetDB — Quick IP Lookup
Shodan's free endpoint — no API key needed for basic lookups.
def check_ip(ip):
"""Get open ports, vulns, and services for any IP"""
resp = requests.get(f'https://internetdb.shodan.io/{ip}')
data = resp.json()
print(f"IP: {data.get('ip')}")
print(f"Ports: {data.get('ports', [])}")
print(f"Vulns: {data.get('vulns', [])}")
print(f"Hostnames: {data.get('hostnames', [])}")
check_ip('8.8.8.8') # Google's DNS
No key needed for InternetDB endpoint.
5. URLhaus — Check If a URL Is Malicious
Run by abuse.ch. Tracks malware distribution URLs.
def check_url_malware(url):
resp = requests.post(
'https://urlhaus-api.abuse.ch/v1/url/',
data={'url': url}
)
data = resp.json()
status = data.get('query_status')
if status == 'no_results':
print(f'✅ {url} — not found in malware database')
else:
print(f'⚠️ {url} — {data.get("threat", "unknown threat")}')
print(f' Tags: {data.get("tags", [])}')
check_url_malware('https://example.com')
Completely free, no key, no limits.
Combine Them: Security Check Script
# Quick security audit in 30 seconds
print("=== Checking dependencies ===")
check_package('PyPI', 'requests', '2.25.0')
check_package('npm', 'lodash', '4.17.19')
print("\n=== Checking IPs ===")
check_ip('203.0.113.1')
print("\n=== Checking URLs ===")
check_url_malware('https://suspicious-site.com')
I built Python toolkits for each: github.com/spinov001-art
Which security API do you use in your projects? Would love to hear about tools I'm missing.
Need custom security scanning or data extraction? Check my tools | GitHub
Top comments (0)