🔐

Security & Auth Validator

Run 28 live security checks against your RESO Web API endpoint — TLS version enforcement, OAuth 2.0 token lifecycle, OpenID Connect discovery, HTTP security headers, and endpoint hardening. Find misconfigurations before auditors do.

How It Works

🔐

1. Credentials

Enter your API endpoint and OAuth 2.0 client credentials. Token URL is auto-detected.

🛡️

2. Encrypted Transit

Credentials are XOR-encrypted in your browser, used once for a token request, then permanently discarded.

⚡

3. 28 Live Checks

We probe your live endpoint across 6 security categories: TLS, OAuth, token lifecycle, OIDC, headers, and hardening.

📄

4. Scored Report

Instant security score with pass/fail/warn detail for every check plus a downloadable PDF report.

🔒 TLS & Transport (6)

HTTPS enforced on endpoint
SSL certificate valid & trusted
TLS 1.0 rejected (PCI DSS)
TLS 1.1 rejected (RFC 8996)
TLS 1.2+ accepted
HTTP redirects to HTTPS

🔑 OAuth 2.0 (7)

Token endpoint uses HTTPS
client_credentials grant works
Token type is Bearer
expires_in declared in response
Token lifetime is reasonable
Bad credentials → safe error
Empty credentials rejected

🎫 Token Lifecycle (5)

Token accepted by API
Invalid token → 401 (not 500)
WWW-Authenticate on 401
Unauthenticated request rejected
No "Bearer" prefix rejected

🌐 OpenID Connect (5)

Discovery document present
Issuer matches endpoint
JWKS endpoint accessible
client_credentials advertised
Issuer uses HTTPS

🛡️ Security Headers (5)

HSTS (max-age ≥ 1 year)
X-Content-Type-Options: nosniff
Clickjacking protection
Content-Security-Policy
Referrer-Policy

🔧 Endpoint Hardening (5)

Server version not disclosed
CORS policy is restricted
404 error is clean (no leaks)
Rate limiting headers present
API response Content-Type correct

Checks align with NIST SP 800-52r2 (TLS guidance), RFC 6749 (OAuth 2.0), RFC 6750 (Bearer tokens), RFC 8996 (TLS 1.0/1.1 deprecation), and OWASP API Security Top 10. This is not a penetration test — it is a configuration audit of publicly observable security posture.

1 Your Contact Info

Your Name Required

Work Email Required

Your PDF report will be sent here

Organization Required

Organization Type Required

2 API Endpoint & Credentials

RESO Web API Base URL Required

The base URL of your RESO Web API OData endpoint

Client ID Required

Client Secret Required

OAuth Token URL Required

Leave blank — we auto-detect from 6 common patterns including OIDC discovery

MLS / System Name Optional

Used for labelling your report

🔒 Your Client ID and Secret are XOR-encrypted in your browser before transmission. On the server they are used only to obtain one OAuth token, then immediately overwritten in memory. They are never logged, stored, or transmitted elsewhere. Credentials travel over TLS only.

Initialising…0%

🔒 Testing TLS versions and certificate

🔑 Probing OAuth token endpoint

🎫 Testing token lifecycle & error handling

🌐 Checking OpenID Connect discovery

🛡️ Scanning security response headers

🔧 Testing endpoint hardening posture

📊 Scoring and building report

Security & Auth Score

—