Pricing

Pay per usage

Strapi Security Scanner — Find public collection-type leaks

Probes a public Strapi instance for misconfigured Public role permissions. Detects content-types readable without auth via /api/{collection}. Returns counts + curl reproducer. Counts only.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Renzo Madueno

Actor stats

Bookmarked

Total users

Monthly active users

19 hours ago

Last modified

Why this exists

Strapi exposes every content-type as a REST endpoint at /api/<collection> (v4+) or /<collection> (v3). The thing keeping records private is the Public role's permissions: if find or findOne is checked for a content-type, every visitor can list and read those records — no auth, no API token.

The Strapi admin UI makes it very easy to leave Public permissions on:

Tutorials usually grant Public find to demo content rendering, but the warning to disable later is rarely seen
Adding a new content-type doesn't reset Public — fields from the old configuration carry over
users-permissions/users is the worst offender: the plugin ships with Public find so the login flow can verify a user exists, but most operators never tighten this

This scanner probes ~30 common content-type names (plus any you pass as hints), pluralized both ways. Each one is checked at both v4 and v3 endpoints.

How to run

Either:

Leave inputs empty + click Run for a DEMO sample report (so you can see what a real scan returns)
Provide your strapiUrl to scan your actual instance

{
  "strapiUrl": "https://api.your-domain.com",
  "collectionHints": ["my-secret-content-type", "subscribers-v2"],
  "outputFormat": "both"
}

What you get

HTML report (report.html in the run's key-value store): a self-contained page with letter findings, severity table, copy-pasteable curl reproducers, and the exact Strapi admin steps to fix each one
Dataset rows: one structured row per finding (name, total, severity, sensitiveColumns, reproducer, version)

Sample finding

[CRITICAL] users — readable by Public role
Total records: 4,231
Sample columns: id, username, email, provider, confirmed, blocked, role
Sensitive columns detected: email

Reproducer:
curl 'https://api.your-domain.com/api/users?pagination[limit]=1' -I

How to fix (free, ~5 min)

In your Strapi admin panel:

Go to Settings → Users & Permissions Plugin → Roles → Public
For each leaky content-type, uncheck the find and findOne permissions
Click Save
Re-run this scanner to confirm zero anon-readable content-types

If a content-type should be public (blog posts, product catalog), audit the fields exposed — use the content-type's Privacy settings to hide sensitive columns from Public responses.

Ethical use

Only scan instances you own or have explicit permission to scan
Probe queries use ?pagination[limit]=1 to confirm exposure without exfiltrating contents
Counts are derived from Strapi's pagination metadata, not row reads

Stripe audit ($99 one-time): buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01
Weekly auto-scans ($29/mo): rls-monitor.vercel.app
Sister scanners: Supabase, Firebase, Strapi, Directus, Payload CMS, Convex, Hasura, PocketBase, Appwrite, Nhost.

Built by Renzo.

Cybersecurity Intelligence MCP Server

ryanclinton/cybersecurity-intelligence-mcp

MCP intelligence server for cybersecurity intelligence detection and analysis.

Ryan Clinton

Actor Compliance Scanner — PII, GDPR & TOS Risk Audit

ryanclinton/actor-compliance-scanner

Actor Compliance Scanner. Available on the Apify Store with pay-per-event pricing.

Ryan Clinton

Nuclear Plant Risk Report

ryanclinton/nuclear-plant-risk-report

Generate a comprehensive nuclear facility risk assessment by querying 8 data sources in parallel.

Ryan Clinton

Actor Schema Validator — Verify Output Matches Declared Schema

ryanclinton/actor-schema-validator

Actor Schema Validator. Available on the Apify Store with pay-per-event pricing.

Ryan Clinton

PocketBase Security Scanner — Find public collection leaks

renzomacar/pocketbase-security-scanner

Probes a public PocketBase instance for misconfigured collection rules. Detects collections readable without auth via /api/collections/*/records. Returns counts + curl reproducer. Counts only, no data exfiltrated.

Renzo Madueno

Nhost Security Scanner — Find public Hasura GraphQL leaks

renzomacar/nhost-security-scanner

Probes a public Nhost project's Hasura GraphQL endpoint for tables readable by anon role. Detects the #1 cause of Nhost data leaks: forgotten Hasura permission policies. Returns table-level counts + curl reproducer. Counts only.

Renzo Madueno

Docker Hub Container Images Scraper

parseforge/docker-hub-images-scraper

Search Docker Hub for container images. Returns repository name, owner, full and short description, official/automated/verified flags, star count, total pull count, last updated, available tags. Search by keyword or look up specific images by name with full tag listings.

ParseForge

GitHub Security Advisories Scraper

parseforge/github-security-advisories-scraper

Scrape the GitHub Global Security Advisories database. Filter by type (reviewed/unreviewed/malware), severity, affected package, CVE/GHSA ID, or publish date. Returns CVSS, CWE, affected version ranges, patched versions, references, and credits.

ParseForge

Naukri + Naukrigulf Jobs · India + UAE/Gulf · $0.99💰/1k

memo23/naukri-scraper

💰$0.99/1K Scrape jobs from Naukri.com (India) AND Naukrigulf (UAE/Gulf) in one actor — the only Apify scraper covering both. Search by URL, keyword, location, experience, salary. Rich rows: jobId, company, work mode, education, salary brackets, skills. $1/1k for paying users (BRONZE+). JSON + CSV