How GovernAPI scores APIs
Every score GovernAPI assigns can be traced to a documented penalty value and a published standard. This page documents the algorithm in full, so you can verify the math yourself. Numbers below are pulled directly from the source code; if you find a discrepancy between this page and the scanner's behaviour, emailadmin@governapi.com.
The score model
Every scan starts at a perfect score of 100. Each finding subtracts its documented penalty value from the score. Multiple findings stack additively; the score is then floored at 0 (it can't go below).
The final numeric score is mapped to a letter grade using the Mozilla HTTP Observatory 13-grade scale (table below). The algorithm lives in getLetterGrade() and calcImpactPoints() in src/utils/score-utils.ts.
The 13-grade scale
| Grade | Score range |
|---|---|
| A+ | 100+ |
| A | 90 – 99 |
| A- | 85 – 89 |
| B+ | 80 – 84 |
| B | 70 – 79 |
| B- | 65 – 69 |
| C+ | 60 – 64 |
| C | 50 – 59 |
| C- | 45 – 49 |
| D+ | 40 – 44 |
| D | 30 – 39 |
| D- | 25 – 29 |
| F | 0 – 24 |
Source: Mozilla HTTP Observatory — scoring.md
42 finding categories(42 entries)
Each row is one finding the scanner can emit, with the penalty GovernAPI subtracts when it fires. Three additional groups (PII patterns, BOLA shapes, LLM cost) emit titles computed at runtime — they're listed in the next subsection.
Findings without an explicit penalty in IMPACT_MAP fall back to severity-based scoring per SEVERITY_POINTS. These rows are marked severity fallback.
Transport & CORS
| Finding | Severity | Penalty |
|---|---|---|
| HTTP Instead of HTTPS | CRITICAL | −30 |
| CORS allows credentials from any origin | CRITICAL | −50 |
| CORS reflects any origin and allows credentials | CRITICAL | −50 |
| CORS allows all origins (standard for public APIs) | INFO | 0 (info) |
| CORS reflects any origin (no credentials) | INFO | 0 (info) |
Security headers
| Finding | Severity | Penalty |
|---|---|---|
| HTTP Strict Transport Security Not Enabled | HIGH | −20 |
| HSTS max-age below recommended 6 months | MEDIUM | −10 |
| MIME Sniffing Not Prevented | LOW | −5 |
| No Content Security Policy (web pages only) | HIGH | −25 |
| Content Security Policy in report-only mode (not enforced) | LOW | −5 |
| Clickjacking Protection Missing (web pages only) | HIGH | −20 |
| Missing Referrer Policy (web pages only) | INFO | 0 (info) |
| Missing Permissions Policy (web pages only) | INFO | 0 (info) |
Rate limiting
| Finding | Severity | Penalty |
|---|---|---|
| No Rate Limiting Detected | MEDIUM | −5 |
| No Rate Limiting on Public Endpoint | INFO | 0 (info) |
| Could not verify rate limiting | INFO | 0 (info) |
Information disclosure
| Finding | Severity | Penalty |
|---|---|---|
| Server Version Disclosure | LOW | −5 |
| Technology Stack Disclosure | LOW | −5 |
| Verbose Error Response Leaks Internal Details | LOW | −8 |
| Authentication Error Response Reveals Internal Details | LOW | −3 |
| Missing Request Tracking Headers | INFO | severity fallback (0) |
API surface coverage
| Finding | Severity | Penalty |
|---|---|---|
| robots.txt discloses sensitive paths | LOW | −5 |
| JavaScript source map publicly exposed | MEDIUM | −8 |
| API Specification Publicly Exposed | LOW | −8 |
| GraphQL Introspection Enabled | MEDIUM | −10 |
| Admin Panel Accessible Without Authentication | HIGH | severity fallback (15) |
Cookies
| Finding | Severity | Penalty |
|---|---|---|
| Cookie Missing Secure Flag | MEDIUM | −5 |
| Cookie Missing HttpOnly Flag | MEDIUM | −5 |
| Cookie Missing SameSite Attribute | LOW | severity fallback (2) |
Serious vulnerabilities
| Finding | Severity | Penalty |
|---|---|---|
| Potential SQL Injection Vulnerability | CRITICAL | −40 |
| OS Command Injection Vulnerability | CRITICAL | −40 |
| Directory Traversal Vulnerability | CRITICAL | −40 |
| Reflected XSS Vulnerability Detected | HIGH | −20 |
| JWT `none` Algorithm Accepted | CRITICAL | −40 |
Authentication
| Finding | Severity | Penalty |
|---|---|---|
| Endpoint Accessible Without Authentication | INFO | 0 (info) |
AI / LLM governance
| Finding | Severity | Penalty |
|---|---|---|
| AI Endpoint Accepts Prompt Injection | HIGH | −15 |
| AI Endpoint Leaks System Prompt | MEDIUM | −8 |
| AI Endpoint Leaks Personal Information | HIGH | −15 |
| AI Endpoint Accepts Role Escalation | HIGH | −15 |
| AI Endpoint Leaks Database Information | CRITICAL | −40 |
| LLM Endpoint Accepts Unbounded Input | MEDIUM | −8 |
| LLM Endpoint Reflects Unescaped Active Content | HIGH | −15 |
Additional dynamic-title finding groups
These categories emit findings with runtime-computed titles (e.g. “Credit Card Number Exposed (3 unique)”) so they don't appear as static title strings in the table above. They're counted separately in the scanner — total coverage is broader than the 42 static categories.
PII / credential detection
penalty: −3 – 3015 pattern-matched categories scanned in 2xx response bodies, with documentation-proximity filtering and Luhn validation for cards.
- Credit Card Number Exposed (Luhn-validated, 30 pts)
- AWS / Stripe / GitHub / Slack secret keys (30 pts each)
- JWT tokens, Twilio creds, ICD-10 codes (8–15 pts)
- SSN, Medical Record Number (30 pts)
- Internal IPs, hostnames, email addresses (3 pts)
- Phone numbers (5 pts), API keys in body (15 pts)
BOLA exposure detection
penalty: −0 or 25URL-shape heuristic + optional sibling-ID enumeration probe (GET-only, max 2 probes, 5s timeout).
- BOLA URL Pattern (INFO, 0 pts)
- BOLA Sequential ID Enumeration (HIGH or CRITICAL, 25 pts)
LLM cost amplification
penalty: −15Sends progressively larger prompts (max 3 probes, 8s timeout) and detects super-linear output scaling. Requires Chunk 7's LLM endpoint detection.
- LLM Cost Amplification (MEDIUM/HIGH/CRITICAL, 15 pts)
6 compliance frameworks(6 entries)
Findings are mapped to controls in each framework. Mapping logic lives in src/lib/compliance-mapper.ts. Names and descriptions below are taken verbatim from the code; the OWASP LLM Top 10 description includes a canonical reference URL.
OWASP API Security Top 10
API SecurityIndustry standard for API security risks
OWASP Top 10 for Large Language Model Applications
AI / LLM SecurityIndustry standard for LLM and generative-AI application risks. Reference: owasp.org/www-project-top-10-for-large-language-model-applications
PCI DSS v4.0
Payment SecurityRequired for any API handling payment card data
SOC 2 Type II
Trust ServicesSecurity controls for SaaS and cloud service providers
GDPR Article 32
Data PrivacyEU data protection requirements for APIs handling personal data
HIPAA Security Rule
HealthcareRequired for APIs handling protected health information (PHI)
Severity dispatch (fallback)
When a finding doesn't match a key in IMPACT_MAP (exact or substring), the score falls back to a severity-based estimate. The fallback values are CVSS-informed and live in SEVERITY_POINTS in src/utils/score-utils.ts.
| Severity | Fallback penalty |
|---|---|
| CRITICAL | −30 |
| HIGH | −15 |
| MEDIUM | −5 |
| LOW | −2 |
| INFO | 0 (info) |
What GovernAPI does NOT test (honest scope)
Where the product is honest about its limits, customers can plan their security posture realistically. GovernAPI is an external, point-in-time scanner. It does not replace these tools or practices:
- •Does not inspect live API traffic — no SDK, no runtime agent, no in-process instrumentation.
- •Does not perform source code analysis (SAST). Use tools like Semgrep, CodeQL, or SonarQube for that.
- •Does not scan dependencies for known CVEs (SCA). Use Snyk, Dependabot, or OSV-Scanner.
- •Does not test authentication logic beyond endpoint-level reachability checks. Penetration testing remains necessary for auth flow validation.
- •Does not perform full fuzzing or exhaustive injection testing. Findings are heuristic and indicate which endpoints warrant deeper review.
- •Findings are point-in-time at scan execution. The score reflects what was true at the moment of scan, not what is currently true.