I got tired of manually testing API rate limits, so I built a tool

milad — Sat, 30 May 2026 14:02:35 +0000

So here's the thing.

I was working on an API the other day — just a small internal tool — and I realized I had no idea if it had rate limiting or not. Like, at all.

I sent 200 requests in a loop with a bash script (don't judge me) and... nothing. No 429, no blocking, just happy 200s. My little API was basically begging to get brute-forced.

That's when I thought: there has to be a better way than writing a janky script every single time.

So I built API Security Auditor Pro.

What does it actually do?

It's just a CLI tool. Nothing fancy. You give it a URL, it does three things:

Tests for rate limiting — sends a bunch of requests and checks if you ever get a 429. If not? That's a red flag.
Checks security headers — you know, HSTS, CSP, all those things we forget to add.
Looks for weird stuff — like APIs returning way too much data or missing auth checks.

Nothing revolutionary. Just the boring stuff that actually matters.

Here's why I like it

It's fast. Like, really fast. No heavy setup, no cloud nonsense.
Docker support. Because who wants to install Python dependencies at 2 AM? docker run ... and you're done.
Output formats you can actually use. JSON for scripts, HTML for sending to managers who want "reports".
CI/CD ready. I threw it in a GitHub Action and now it runs every night. Found a staging API with no rate limiting on day 2.

Show me the code already

Fine. Here you go:

# Install it
pip install api-security-auditor-pro

# Test a public API (no rate limiting — oops)
api-auditor test-rate-limit https://jsonplaceholder.typicode.com/users

# Try it on GitHub's API (they actually do it right)
api-auditor test-rate-limit https://api.github.com/users/octocat --requests 100

# Save a report for your boss
api-auditor scan https://your-api.com --output report.json --format json
api-auditor report report.json --output look_how_secure_we_are.html

Real talk — does it work?

I tested it on:

GitHub API → ✅ Has rate limiting (returns 429 like a champ)
JSONPlaceholder → ❌ No rate limiting at all (classic)
A random e-commerce API I found → ❌ No rate limiting AND missing security headers. Yikes.

So yeah. It finds problems.

What's next?

I just released v1.0. It's stable, it works, and I actually use it on my own projects.

Future stuff I'm thinking about:

Authentication support (Bearer tokens, API keys)
GraphQL support
More vulnerability checks (OWASP Top 10 for APIs)

Links (because you're going to ask anyway)

GitHub: miladrezanezhad/api-security-auditor-pro
PyPI: pip install api-security-auditor-pro
Docker: docker pull miladrezanezhad/api-security-auditor-pro

One last thing

If you try it and it breaks — open an issue. If you like it — drop a star. If you have ideas — I'm all ears.

I built this because I needed it. But maybe you do too.

Go audit your APIs. You might be surprised.

— Milad

P.S. The tool won't attack your API. It just sends normal requests and looks at responses. Safe enough for production (but maybe test on staging first, yeah?).

Web Security Analyzer Pro v3.0 — I built 49 security modules, but I need your help

milad — Fri, 15 May 2026 07:54:03 +0000

👇 The honest truth

Three months ago, I started building a web security scanner.

Today, it has:

49 security modules (WordPress, cPanel, SQLi, XSS, SSL, API security, etc.)
Advanced SQL injection detection (error-based, boolean blind, time-based, UNION)
WAF evasion engine (detects 9 WAFs + Cloudflare, Sucuri, ModSecurity)
Built-in CVE database (2024–2026 vulnerabilities with CVSS scores)
HTML, PDF, Markdown, JSON reports
230+ automated tests (99.5% pass rate)

And it's completely free and open source under MIT license.

But here's the part I don't put in the README:

🐛 It's not perfect. And I need help.

This is a one-person project. I've tested it on dozens of targets, but:

Some modules fail on edge cases I haven't seen
The SQLi detector works great on MySQL, less tested on PostgreSQL
DOM XSS detection needs more real-world validation
The evasion engine works against 9 WAFs — but new WAFs appear every week
I'm sure there are bugs I don't even know about

I'm not looking for praise. I'm looking for people who will break this tool and tell me how.

🎯 Who this tool is for

Web developers who want to audit their own sites before deployment
Security researchers who need a free, scriptable scanner
Penetration testers who want a second opinion alongside Burp/ZAP
DevOps engineers who need CI/CD integration (REST API + JSON output)
Students learning web security (the code is open, modules are simple)

What this tool is NOT:

A replacement for Burp Suite Pro or Acunetix
A zero-day finder
An automated hacker machine

It's a free, honest scanner that catches low-hanging fruit and helps you understand your security posture.

🛠️ How you can help

Run it on your sites (with permission — read the LEGAL WARNING first)
Open an issue when it crashes, misses something, or gives a false positive
Send a pull request for a bug fix or new module
Share your test results — even failures help me improve

The code is modular. Adding a new module takes ~50 lines. The Wiki has templates.

📦 Quick start

git clone https://github.com/miladrezanezhad/web-security-scanner-pro.git
cd web-security-scanner-pro
pip install -r requirements.txt
python main.py scan https://your-test-site.com --mode stealth

Or just run python main.py for interactive mode.

⚠️ One more honest thing

I'm a frontend developer who fell into security.

Some modules are better than others. Some code is messy.

But I ship it anyway — because someone else might need it, even if it's not perfect.

Open source isn't about flawless code. It's about building together.

🔗 GitHub: miladrezanezhad/web-security-scanner-pro

#websecurity #opensource #bugbounty #python #infosec #helpneeded

DEV Community: milad