API Security Demo

Demonstrate unauthenticated, rate-limit-free endpoints vs protected, rate-limited endpoints.

Try this:Click "Fetch Without Auth" — watch it return full user data including SSN

Insecure Endpoint

GET /api/logs

✗ No authentication required

✗ No rate limiting

✗ Full data exposure (SSN, salary)

Secure Endpoint

GET /api/logs

✓ Bearer token required

✓ Rate limit: 3 req / 10s

✓ SSN and salary stripped

Rate Limit Simulator

Fires 6 rapid requests to trigger rate limiting (secure mode)

Vulnerable

What's happening

API endpoints expose server resources. Without authentication and rate limiting, any user — or automated bot — can freely access, scrape, or abuse them.

Why it's vulnerable

Unauthenticated APIs can expose sensitive data (PII, financial info) to anyone. Without rate limiting, attackers can brute-force credentials or overwhelm your server with requests (DoS).

How it's fixed

Require a valid auth token (Bearer JWT) for all protected endpoints. Implement rate limiting per IP or user (e.g., express-rate-limit, Redis sliding window). Strip sensitive fields (SSN, salary) from API responses.

Real-world context

In 2021, LinkedIn scraped 700M user records through an exposed API. Facebook leaked 533M records. APIs are consistently the #1 attack surface in modern web apps.

Security Log(0)live

Monitoring runtime activity… waiting for events

Stream will begin shortly