Hello everyone, I'm @xiaoqiangapi, a Chinese teacher who has been teaching Chinese for over a decade.
Yes, that's the one who, because of one sentence from a student, forced himself to build an API gateway from scratch.
In the previous article, I tested the overseas latency speeds of DeepSeek, Zhipu, and MiniMax.
But you will surely have questions:
"Is your API secure?"
"Will the Key leak?"
"Will the data be intercepted by a man-in-the-middle?"
I wasn't in a hurry to answer.
Because I'm not a security expert. I'm just a beginner who has just learned to use Postman, a former Chinese teacher who only started learning API transit at nearly 0 years old.
But I decided to use the stupidest method: test one item at a time and write down the results honestly.
I used only two tools:
Windows' built-in curl
No fancy scanner, no professional security platform. I believe plain tests are more persuasive than pretty ads.
What am I going to test?
A total of 10 tests, divided into four groups:
For every test, I will:
Take screenshots to keep evidence
Give a clear conclusion
Don't be careless
Why would a Chinese teacher bother with security tests?
To be honest, I myself am the user who is most concerned about security.
If I were a developer, I would care about three things:
1.If I lose my API Key, can someone else use it?
2.Will my conversation be peeked at during transmission?
3.Will the API crash if someone deliberately inputs malicious code?
These concerns are perfectly reasonable. So, I decided to verify it myself, no exaggeration.
My goal is: Even if you are an independent developer who puts your entire business on the API, you can use my service with peace of mind.
Preview of Transcript
When all ten tests are completed, I will publish the full transcript. Preliminary statistics for now:
✅ completely passed: 9 items
⚠️ Half pass: 1 (Rate limiting - the platform already has Cloudflare protection, but the API layer does not explicitly return 429 status code)
❌ failed: 0
Overall self-assessment: 9.5/10.
Of course, this is just my self-assessment. I will make all the testing process and screenshots public and welcome every developer to supervise and criticize.
Next preview
Next, I'll post the first set of tests: keyless calls, wrong keys, empty messages requests - to see if the API can defend against the most basic "freehand" attacks.
If you have suggestions for my testing methods or would like me to test anything else, please let me know in the comment section.
About Me and my API
I'm a nearly 50-year-old former Chinese teacher who taught himself programming from scratch and is publicly building a Chinese large model API transit service. All the tests in this series are done by my own hands, recorded honestly, without exaggeration or underestimation.
Try my API
After reading this preheating, do you think my "non-professional security test" is reliable? Which security issue of the API do you usually worry about the most? Feel free to let me know in the comment section and I'll adjust the subsequent test items based on the feedback.
Top comments (1)
Not a security expert — just Postman and curl. What's the biggest security risk you'd want tested before trusting a new API? Curious what others worry about.