# Strapi Security Scanner — Find public collection-type leaks (`renzomacar/strapi-security-scanner`) Actor Probes a public Strapi instance for misconfigured Public role permissions. Detects content-types readable without auth via /api/{collection}. Returns counts + curl reproducer. Counts only. - **URL**: https://apify.com/renzomacar/strapi-security-scanner.md - **Developed by:** [Renzo Madueno](https://apify.com/renzomacar) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Strapi Security Scanner — Find public collection-type leaks > **Strapi's Public role permissions are a footgun.** Every Strapi quickstart I've seen leaves `find` and `findOne` enabled on `Users` so the example login flow works — and that exact setting often ships to production unchanged. Anyone with your Strapi URL can list every user's email, role, and metadata. **This actor finds those leaks in 30 seconds.** Probes a public Strapi instance for **content-types readable by the Public role**. Sends `/api/{collection}?pagination[limit]=1` (v4+) and `/{collection}?_limit=1` (v3) per content-type. Returns table-level counts + a verbatim `curl` reproducer per finding. Counts only — never row data. > 💸 **Found a leak?** I do turnkey Strapi audits + Public-role hardening for **$99** ([Stripe](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) — 48h, money-back if nothing actionable). Or **$29/mo** weekly auto-scans at [rls-monitor.vercel.app](https://rls-monitor.vercel.app/). > ⭐️ **Solo dev competing with bigger Apify publishers.** A [30-second review](https://apify.com/renzomacar/strapi-security-scanner#reviews) is the single thing that lifts ranking. Thank you. ### Why this exists Strapi exposes every content-type as a REST endpoint at `/api/` (v4+) or `/` (v3). The thing keeping records private is the **Public role's permissions**: if `find` or `findOne` is checked for a content-type, every visitor can list and read those records — no auth, no API token. The Strapi admin UI makes it very easy to leave Public permissions on: 1. **Tutorials usually grant Public `find`** to demo content rendering, but the warning to disable later is rarely seen 2. **Adding a new content-type doesn't reset Public** — fields from the old configuration carry over 3. **`users-permissions/users`** is the worst offender: the plugin ships with Public `find` so the login flow can verify a user exists, but most operators never tighten this This scanner probes ~30 common content-type names (plus any you pass as hints), pluralized both ways. Each one is checked at both v4 and v3 endpoints. ### How to run Either: 1. **Leave inputs empty** + click **Run** for a DEMO sample report (so you can see what a real scan returns) 2. **Provide your `strapiUrl`** to scan your actual instance ```json { "strapiUrl": "https://api.your-domain.com", "collectionHints": ["my-secret-content-type", "subscribers-v2"], "outputFormat": "both" } ```` ### What you get - **HTML report** (`report.html` in the run's key-value store): a self-contained page with letter findings, severity table, copy-pasteable `curl` reproducers, and the exact Strapi admin steps to fix each one - **Dataset rows**: one structured row per finding (`name`, `total`, `severity`, `sensitiveColumns`, `reproducer`, `version`) ### Sample finding ``` [CRITICAL] users — readable by Public role Total records: 4,231 Sample columns: id, username, email, provider, confirmed, blocked, role Sensitive columns detected: email Reproducer: curl 'https://api.your-domain.com/api/users?pagination[limit]=1' -I ``` ### How to fix (free, ~5 min) In your Strapi admin panel: 1. Go to **Settings → Users & Permissions Plugin → Roles → Public** 2. For each leaky content-type, **uncheck** the `find` and `findOne` permissions 3. Click **Save** 4. Re-run this scanner to confirm zero anon-readable content-types If a content-type **should** be public (blog posts, product catalog), audit the **fields** exposed — use the content-type's **Privacy** settings to hide sensitive columns from Public responses. ### Ethical use - **Only scan instances you own** or have explicit permission to scan - Probe queries use `?pagination[limit]=1` to confirm exposure without exfiltrating contents - Counts are derived from Strapi's pagination metadata, not row reads ### Related - **Stripe audit ($99 one-time)**: [buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01](https://buy.stripe.com/00w9AT9TWdaW7yx9KkcAo01) - **Weekly auto-scans ($29/mo)**: [rls-monitor.vercel.app](https://rls-monitor.vercel.app/) - **Sister scanners**: [Supabase](https://apify.com/renzomacar/supabase-rls-scanner), [Firebase](https://apify.com/renzomacar/firebase-security-auditor), [Strapi](https://apify.com/renzomacar/strapi-security-scanner), [Directus](https://apify.com/renzomacar/directus-security-scanner), [Payload CMS](https://apify.com/renzomacar/payload-security-scanner), [Convex](https://apify.com/renzomacar/convex-security-scanner), [Hasura](https://apify.com/renzomacar/hasura-security-scanner), [PocketBase](https://apify.com/renzomacar/pocketbase-security-scanner), [Appwrite](https://apify.com/renzomacar/appwrite-security-auditor), [Nhost](https://apify.com/renzomacar/nhost-security-scanner). Built by [Renzo](https://github.com/Perufitlife). # Actor input Schema ## `strapiUrl` (type: `string`): Your Strapi instance URL, e.g. https://api.your-domain.com. Must be publicly reachable. Leave empty + click Run for a sample report. ## `collectionHints` (type: `array`): Beyond ~30 common collection-type names, list any schema-specific names. Strapi pluralizes them — pass either singular or plural; the scanner tries both. ## `outputFormat` (type: `string`): JSON for programmatic use; HTML report saved to KV store under report.html. ## Actor input object example ```json { "collectionHints": [], "outputFormat": "both" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("renzomacar/strapi-security-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("renzomacar/strapi-security-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call renzomacar/strapi-security-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=renzomacar/strapi-security-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Strapi Security Scanner — Find public collection-type leaks", "description": "Probes a public Strapi instance for misconfigured Public role permissions. Detects content-types readable without auth via /api/{collection}. Returns counts + curl reproducer. Counts only.", "version": "0.1", "x-build-id": "hptjagVqoB8bv3rAY" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/renzomacar~strapi-security-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-renzomacar-strapi-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/renzomacar~strapi-security-scanner/runs": { "post": { "operationId": "runs-sync-renzomacar-strapi-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/renzomacar~strapi-security-scanner/run-sync": { "post": { "operationId": "run-sync-renzomacar-strapi-security-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "strapiUrl": { "title": "Strapi Instance URL (leave empty for DEMO)", "type": "string", "description": "Your Strapi instance URL, e.g. https://api.your-domain.com. Must be publicly reachable. Leave empty + click Run for a sample report." }, "collectionHints": { "title": "Extra collection-type names to probe (optional)", "type": "array", "description": "Beyond ~30 common collection-type names, list any schema-specific names. Strapi pluralizes them — pass either singular or plural; the scanner tries both.", "default": [], "items": { "type": "string" } }, "outputFormat": { "title": "Output format", "enum": [ "json", "html-report", "both" ], "type": "string", "description": "JSON for programmatic use; HTML report saved to KV store under report.html.", "default": "both" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```