ApiShield is designed for efficient API scanning, but there are important performance considerations to keep in mind.

Performance Bottlenecks

Sequential Live Probing

lib/parsers/live.js uses a hardcoded 800ms sleep between requests. This throttling makes scanning large APIs unnecessarily slow but prevents overwhelming target servers.

Recommendation: Use a concurrency-limited worker pattern to speed up probing while avoiding rate limiting.

Deep Recursion

Schema traversal for sensitive field detection lacks a depth limit, which could cause stack exhaustion on highly nested structures.

Recommendation: Introduce a configurable maximum depth for recursive schema analysis.

Complexity Analysis

The scanSpec Function

Located in lib/normalizer.js, this function acts as a "God Function" containing all validation logic. This increases cognitive load for maintainers and makes unit testing individual rules difficult.

Recommendation: Decompose into smaller, rule-specific modules in a lib/scanners/ directory.

Short-Term Improvements

1. Consolidate Sensitive Data Detection: Move logic from lib/parsers/live.js into lib/normalizer.js to use the more comprehensive regex set (~150 patterns).
2. Parallelize Live Scanning: Implement concurrent scanning with proper rate limiting controls.

Long-Term Architectural Changes

1. Refactor Scanners: Create modular, rule-specific scanner functions.
2. Improve Input Matching: Replace manual regex with a robust library like minimatch.
3. Schema Depth Limits: Add configurable maximum recursion depth.