Try Claude
Security ScannerScan URLs, IPs, domains and files for threats
AI Tools for Backend Developers
AI tools that help backend developers scan for CVEs, design APIs, optimize database queries, audit security, and research architecture patterns.
Get started for free
Works in Chat, Cowork and Code
jsonwebtoken@8.5.1
CVE-2022-23529 · CVSS 9.8 — auth bypass via malformed token
axios@0.21.1
CVE-2023-45857 · CVSS 8.8 — SSRF via redirect
express@4.18.2
No known CVEs · CVSS < 7
multer@1.4.4
No known CVEs · CVSS < 7
pg@8.11.3
No known CVEs
Dependency CVE scanning
Check every package in your lockfile against the full CVE catalog before deployments. Surface high-severity vulnerabilities in transitive dependencies, not just direct ones, so you can patch or pin before going live.
Check these packages for CVEs: express@4.18.2, jsonwebtoken@8.5.1, multer@1.4.4, axios@0.21.1. Flag anything CVSS 7+.
Found 2 critical: jsonwebtoken@8.5.1 — CVE-2022-23529 (CVSS 9.8) allows auth bypass via malformed token. axios@0.21.1 — CVE-2023-45857 (CVSS 8.8) SSRF via redirects. Express and multer: clean. Upgrade jsonwebtoken to 9.x and axios to 1.6.x immediately.
ToolRouter search_cves
jsonwebtoken@8.5.1
CVE-2022-23529 · CVSS 9.8 — auth bypass via malformed token
axios@0.21.1
CVE-2023-45857 · CVSS 8.8 — SSRF via redirects
express@4.18.2
No known CVEs
multer@1.4.4
No known CVEs
API endpoint security scanning
Black-box scan your API for OWASP Top 10 vulnerabilities — missing authentication, exposed stack traces, injection vectors, and insecure CORS headers. Find gaps before attackers do.
Security-scan https://api.myapp.com. Check for auth bypass on /admin routes, SQL injection on /users?search=, and whether stack traces leak in 500 errors.
3 findings: HIGH — /admin/users returns 200 without Authorization header (missing auth middleware). HIGH — /users?search= reflects input unsanitized in error response. MEDIUM — X-Content-Type-Options and X-Frame-Options headers absent on all routes. No SQLi found in parameterized queries.
ToolRouter scan_url
/admin/users
Returns 200 without Authorization header
/users?search=
Input reflected unsanitized in error response
Security headers
X-Content-Type-Options, X-Frame-Options absent
SQL injection
No injection found
ToolRouter pentest_web
Auth bypass /admin
Confirmed — no middleware on admin router
XSS in error message
Reflected XSS confirmed via search param
CSRF protection
SameSite cookie flag present on session cookies
Framework and ORM documentation lookup
Fetch version-specific docs for your backend stack without wading through outdated Stack Overflow answers. Get exact API signatures, migration guides, and code examples for the version you are actually running.
Show me the Fastify v4 route handler TypeScript types and how to correctly type request.body with a Zod schema plugin.
In Fastify v4, use RouteHandler<{ Body: z.infer<typeof mySchema> }> as the generic. With @fastify/type-provider-zod, pass zodTypeProvider() to withTypeProvider(). Route body is then fully typed — no casting needed. Full example with error handling included.
ToolRouter fetch_docs
RouteHandler generic
RouteHandler<{ Body: z.infer<typeof schema> }>
Type provider setup
withTypeProvider().register(zodTypeProvider())
Body inference
request.body fully typed — no casting required
Error handler
setErrorHandler receives FastifyError with typed context
Architecture and database research
Compare databases, message queues, and architectural patterns with data-backed research before making decisions that will outlast the sprint. Save hours of Googling for a synthesis across blog posts, benchmarks, and docs.
We have 500M rows in Postgres and are hitting write throughput limits at 50K writes/sec. Compare Postgres partitioning, CockroachDB, and YugabyteDB for our workload.
Postgres partitioning: works to ~100K writes/sec with proper indexing, zero migration cost but no auto-sharding. CockroachDB: 250K+ writes/sec in multi-region, 2x query latency for point reads. YugabyteDB: Postgres-compatible API, better for existing ORM code. Recommend CockroachDB if you need multi-region strong consistency; Postgres partitioning first if single-region.
Service architecture diagrams
Generate sequence diagrams, ERDs, and system architecture flowcharts from a description. Share precise technical diagrams in RFCs and ADRs without spending half a day in a diagramming tool.
Create a sequence diagram for our payment processing flow: client → API → payment-service → Stripe API → webhook → order-service → database write.
Generated PlantUML sequence diagram with 7 actors. Async webhook path shown with dashed arrow. Retry logic on Stripe failure annotated with loop block. Database write and order-service notification shown as parallel alt frames.
Supply chain and open-source package risk audit
Check npm packages for supply chain risks: abandoned maintainers, suspicious recent releases, malicious dependency injections, and license compliance issues before adding them to production.
Audit these packages for supply chain risk before we add them: got@14, node-fetch@3.3.2, undici@6.6.2.
got@14: clean, actively maintained by Sindre Sorhus. node-fetch@3.3.2: clean, 2 open moderate CVEs in older versions — you're on latest. undici@6.6.2: clean, maintained by Node.js core team. No supply chain anomalies detected.
ToolRouter audit_packages
got@14
Clean · actively maintained by Sindre Sorhus · 0 advisories
node-fetch@3.3.2
Clean · 2 moderate CVEs in v2.x only — not affected on v3
undici@6.6.2
Clean · maintained by Node.js core team · no supply chain anomalies
Ready-to-use prompts
Scan dependencies for CVEs
Check these npm packages for known CVEs and flag anything with CVSS score 7 or higher: express@4.18.2, jsonwebtoken@9.0.0, multer@1.4.5-lts.1, pg@8.11.3, redis@4.6.7.
Security-scan API endpoint
Scan https://api.myapp.com/v1 for OWASP Top 10 vulnerabilities. Check for missing auth on admin routes, SQL injection on query params, and whether 500 errors expose stack traces.
Fetch Fastify docs
Fetch Fastify v4 documentation for route handler TypeScript types, request body validation with Zod, and how to correctly set up the type provider plugin.
Compare databases for scale
Compare PostgreSQL (partitioned), CockroachDB, and PlanetScale for a SaaS app with 200M rows, 30K writes/sec, and a requirement for zero-downtime schema migrations.
JWT refresh token sequence
Generate a PlantUML sequence diagram for a JWT refresh token flow: client sends expired access token → API checks refresh token in Redis → issues new access token → updates refresh token expiry.
Supply chain audit
Audit these packages for supply chain risk before adding to production: got@14, node-fetch@3, undici@6, superagent@9. Check maintainer activity, recent publish anomalies, and known advisories.
Postgres indexing strategy
Our user_events table has 500M rows with columns: user_id UUID, event_type VARCHAR, created_at TIMESTAMP, metadata JSONB. What composite indexes should we create for queries that filter by user_id + event_type and sort by created_at DESC?
Redis caching patterns
Fetch Redis documentation for the cache-aside pattern in Node.js. Show how to implement it with ioredis, handle cache stampede with setnx, and set TTL policies for session vs computed data.
Tools to power your best work
Web SearchWeb, news, images & maps — one tool
Vulnerability DatabaseSearch CVEs & track new advisories
Penetration TestingAI-powered black-box pen testing
Deep ResearchAI research reports with citations
Library DocsUp-to-date docs and code examples for any library
Diagram GeneratorRender Mermaid, PlantUML & more
Supply Chain RiskPackage, dependency & exploit risk
165+ tools.
One conversation.
Everything backend developers need from AI, connected to the assistant you already use. No extra apps, no switching tabs.
Security review before release
Scan dependencies, audit the API surface, and check for open CVEs in the tech stack before every production deployment.
Architecture decision research
Before making a significant architectural choice — new database, message queue, caching layer — gather data-backed comparisons and generate a diagram for the RFC.
New service scaffolding
Research patterns, diagram the service boundary, and verify the dependency stack before writing the first line of code.
Frequently Asked Questions
Can the vulnerability database check transitive (indirect) dependencies?
The Vulnerability Database searches by package name and version against the full CVE catalog. Paste your lockfile packages — including transitive dependencies — to get a complete picture. For automated scanning in CI, run it on each deployment.
How is the Security Scanner different from a pentest tool?
Security Scanner does passive checks — OWASP Top 10, headers, and exposed information — without sending attack payloads. The Pentest tool does active black-box testing with payloads. Use Security Scanner for every build, Pentest for quarterly deep audits or before major releases.
Can Library Docs handle private or internal documentation?
Library Docs fetches documentation from public sources — npm packages, official framework docs, GitHub READMEs, and versioned changelogs. It works best for popular open-source packages. Internal proprietary docs would need a different approach.
Does Deep Research cite sources for architecture comparisons?
Yes. Deep Research synthesizes multiple sources and cites each claim with links to benchmarks, documentation, and engineering blog posts. This makes it safe to include findings in an RFC or ADR without having to track down sources yourself.
What diagram formats does Diagram Generator support for embedding in GitHub PRs?
Diagram Generator outputs Mermaid source code, which renders natively in GitHub Markdown, GitLab, and Confluence. Paste the raw Mermaid block in any PR description or wiki page and it renders automatically without any plugins.
Give your AI superpowers.
Get started for free
Works in Chat, Cowork and Code