"A 50-Year-Old Teacher's API Security Test: 10 Tests with Postman, 9.5 Passed"
"A 50-Year-Old Teacher's API Security Test: 10 Tests with Postman, 9.5 Passed"
Hello everyone, I'm @xiaoqiangapi, a Chinese teacher who has been teaching Chinese for over a decade.
Yes, that's the one who, because of one sentence from a student, forced himself to build an API gateway from scratch.
In the previous article, I tested the overseas latency speeds of DeepSeek, Zhipu, and MiniMax. You can read it here: Three Chinese LLMs Overseas Latency Tests But you will surely have questions:
"Is your API secure?" "Will the Key leak?" "Will the data be intercepted by a man-in-the-middle?"
I wasn't in a hurry to answer.
Because I'm not a security expert. I'm just a beginner who has just learned to use Postman, a former Chinese teacher who only started learning API at age 50.
But I decided to use the stupidest method: test one item at a time and write down the results honestly.
I used only two tools:
- Postman
- Windows' built-in curl
No fancy scanner, no professional security platform. I believe plain tests are more persuasive than pretty ads.
What am I going to test?
A total of 10 tests, divided into four groups:
| Groups | Test items | What am I going to verify |
|---|---|---|
| Group 1 | No Key, wrong Key, empty request | Can you guard against "free access"? |
| Group 2 | SQL injection, XSS, prompt hijacking | Can it defend against malicious attacks? |
| Group 3 | Rate limiting, extra-long input, special characters | Will I be knocked down? |
| Group 4 | HTTPS/TLS encryption | Can data transmission be peeked at? |
For every test, I will:
- Take screenshots to keep evidence
- Give a clear conclusion
- Don't be careless
Why would a Chinese teacher bother with security tests?
To be honest, I myself am the user who is most concerned about security.
If I were a developer, I would care about three things:
- If I lose my API Key, can someone else use it?
- Will my conversation be peeked at during transmission?
- Will the API crash if someone deliberately inputs malicious code?
These concerns are perfectly reasonable. So, I decided to verify it myself, no exaggeration.
My goal is: Even if you are an independent developer who puts your entire business on the API, you can use my service with peace of mind.
Preview of Transcript
When all ten tests are completed, I will publish the full transcript. Preliminary statistics for now:
- ✅ Completely passed: 9 items
- ⚠️ Half pass: 1 (Rate limiting — the platform already has Cloudflare protection, but the API layer does not explicitly return 429 status code)
- ❌ Failed: 0.5
Overall self-assessment: 9.5/10.
Of course, this is just my self-assessment. I will make all the testing process and screenshots public and welcome every developer to supervise and criticize.
Next preview
Next, I'll post the first set of tests: keyless calls, wrong keys, empty messages requests — to see if the API can defend against the most basic "freehand" attacks.
If you have suggestions for my testing methods or would like me to test anything else, please let me know in the comment section.
About Me and my API
I'm a nearly 50-year-old former Chinese teacher who taught himself programming from scratch and is publicly building a Chinese large model API transit service. All the tests in this series are done by my own hands, recorded honestly, without exaggeration or underestimation.
After reading this preheating, do you think my "non-professional security test" is reliable? Which security issue of the API do you usually worry about the most? Feel free to let me know in the comment section and I'll adjust the subsequent test items based on the feedback.