DEV Community

Cover image for I got tired of manually testing API rate limits, so I built a tool
milad
milad

Posted on

I got tired of manually testing API rate limits, so I built a tool

#security #api #python #devops

So here's the thing.

I was working on an API the other day — just a small internal tool — and I realized I had no idea if it had rate limiting or not. Like, at all.

I sent 200 requests in a loop with a bash script (don't judge me) and... nothing. No 429, no blocking, just happy 200s. My little API was basically begging to get brute-forced.

That's when I thought: there has to be a better way than writing a janky script every single time.

So I built API Security Auditor Pro.

What does it actually do?

It's just a CLI tool. Nothing fancy. You give it a URL, it does three things:

  1. Tests for rate limiting — sends a bunch of requests and checks if you ever get a 429. If not? That's a red flag.
  2. Checks security headers — you know, HSTS, CSP, all those things we forget to add.
  3. Looks for weird stuff — like APIs returning way too much data or missing auth checks.

Nothing revolutionary. Just the boring stuff that actually matters.

Here's why I like it

  • It's fast. Like, really fast. No heavy setup, no cloud nonsense.
  • Docker support. Because who wants to install Python dependencies at 2 AM? docker run ... and you're done.
  • Output formats you can actually use. JSON for scripts, HTML for sending to managers who want "reports".
  • CI/CD ready. I threw it in a GitHub Action and now it runs every night. Found a staging API with no rate limiting on day 2.

Show me the code already

Fine. Here you go:

# Install it
pip install api-security-auditor-pro

# Test a public API (no rate limiting — oops)
api-auditor test-rate-limit https://jsonplaceholder.typicode.com/users

# Try it on GitHub's API (they actually do it right)
api-auditor test-rate-limit https://api.github.com/users/octocat --requests 100

# Save a report for your boss
api-auditor scan https://your-api.com --output report.json --format json
api-auditor report report.json --output look_how_secure_we_are.html
Enter fullscreen mode Exit fullscreen mode

Real talk — does it work?

I tested it on:

  • GitHub API → ✅ Has rate limiting (returns 429 like a champ)
  • JSONPlaceholder → ❌ No rate limiting at all (classic)
  • A random e-commerce API I found → ❌ No rate limiting AND missing security headers. Yikes.

So yeah. It finds problems.

What's next?

I just released v1.0. It's stable, it works, and I actually use it on my own projects.

Future stuff I'm thinking about:

  • Authentication support (Bearer tokens, API keys)
  • GraphQL support
  • More vulnerability checks (OWASP Top 10 for APIs)

Links (because you're going to ask anyway)

One last thing

If you try it and it breaks — open an issue. If you like it — drop a star. If you have ideas — I'm all ears.

I built this because I needed it. But maybe you do too.

Go audit your APIs. You might be surprised.

— Milad

P.S. The tool won't attack your API. It just sends normal requests and looks at responses. Safe enough for production (but maybe test on staging first, yeah?).

Top comments (0)