Clickjacking is one of those everything works security problems that teams ignore because nothing crashes, nothing burns, and monitoring stays green. And that s exactly why it survives.
Your API can be flawless, your backend locked down but if your UI can be framed, a user can be tricked into clicking real actions through someone else s page. Approvals, settings, payments, permissions. All valid. All invisible.
There s a special kind of security failure that doesn t come from complex exploits or zero-days. It comes from your API politely introducing itself to the entire internet: Hi, I m nginx 1.18.0. This isn t advanced hacking. It s basic fingerprinting and it s how attackers decide whether you re worth attacking at all. Exposing server versions turns vulnerability scanning into shopping with a checklist: tech, version, CVE, automate. Teams forget this because it s boring, not because it s hard. No alerts. No crashes. Just a quiet little header waiting for the wrong person to notice. I added this check to Rentgen because people don t forget hard things they forget obvious ones. And those are the ones that usually bite first.
I recently had an interesting conversation with an investor. I was explaining a very concrete technical problem and the solution behind it. At some point he asked: Won t AI solve this in a few years? If so, doesn t that make your solution irrelevant? That question stuck with me because my instinctive reaction was: why would that make it irrelevant?
If a problem can be solved without AI, that solution is always:
Rentgen finds API bugs when you have no tests yet.
We built Rentgen for one reason: to test APIs before you write any tests.
Paste one cURL → Rentgen generates 50–200 edge-case checks (boundaries, invalid data, trimming, headers, CORS, enums, latency).
No accounts. No cloud. Fully local.
Run it before handing the API to QA.
Because “the API works” usually means it worked for one happy request.
After years of testing APIs across fintech, gov, and internal platforms, I keep seeing the same pattern: Most API bugs are not complex. They re boring HTTP basics that teams quietly forget.
A few examples I see again and again:
Missing auth returns 403 instead of 401 so clients debug permissions instead of authentication
Unsupported HTTP methods return 200 so people debug payloads instead of the method
Non-existent endpoints return 200 so monitoring shows everything is fine while users rage
Invalid payloads get echoed back in error messages opening doors nobody intended
Private APIs allow broad CORS origins because it worked in the browser
We just wrapped the Orbit Awards for AI Dictation and now we re moving to the next category: AI Automation.
This one is for the tools that actually do work for you clearing chores, running workflows in the background, or quietly taking over a chunk of your week without turning into another dashboard you have to babysit.
I m Liudas a QA engineer with 18 years of experience in backend/API testing, leading QA teams in security-critical environments in the UAE.
I built Rentgen because most API bugs are simple edge cases no one has time to test manually. One cURL hundreds of generated test cases. All local, no cloud, no telemetry.
