In 2026, every app is a file host. Whether you are building a chat app, an HR portal, or a social network, if you accept user uploads, you are accepting potential malware.
Building a proprietary antivirus engine is impossible for most teams. The solution is API-driven security. This guide moves beyond the marketing fluff and provides raw CURL and Node.js examples for the top 16 security APIs available today. We focus on implementation details: rate limits, latency, and response payloads.
Advertisement
1. VirusTotal (The Aggregator)
The Gold Standard. It doesn't scan files itself; it runs them against 70+ engines (Kaspersky, Sophos, CrowdStrike).
- Rate Limit (Free): 500 requests/day
- Best For: Definitive verdicts on files.
Endpoint: Scan by Hash (Zero-Knowledge)
Don't upload the file if you don't have to. Check the hash first.
bash
curl --request GET \
--url https://www.virustotal.com/api/v3/files/{SHA256_HASH} \
--header 'x-apikey: <YOUR_API_KEY>'
Node.js Implementation
javascript
const crypto = require('crypto');
async function checkFileHash(buffer) {
const hash = crypto.createHash('sha256').update(buffer).digest('hex');
const response = await fetch(`https://www.virustotal.com/api/v3/files/${hash}`, {
headers: { 'x-apikey': process.env.VT_KEY }
});
if (response.status === 404) return "UNKNOWN_FILE"; // Needs upload
const data = await response.json();
// Return the number of engines that flagged it as malicious
return data.data.attributes.last_analysis_stats.malicious;
}
2. AbuseIPDB (The Firewall)
Best For: Blocking botnets and brute-force hackers.
Before you let a user log in, check if their IP is a known bad actor.
- Rate Limit (Free): 1,000 requests/day
- Latency: < 500ms
Endpoint: Check IP
bash
curl -G https://api.abuseipdb.com/api/v2/check \
--data-urlencode "ipAddress=118.25.6.39" \
-d maxAgeInDays=90 \
-H "Key: <YOUR_API_KEY>" \
-H "Accept: application/json"
Verdict Logic:
If
abuseConfidenceScore > 50, trigger 2FA or block the request.3. Google Safe Browsing (The Phishing Net)
Best For: Scanning user-submitted URLs.
If your users can post links (comments, bios), you must scan them for phishing.
- Cost: Free (High quotas)
Payload Structure
Google requires a specific JSON body.
json
{
"client": {
"clientId": "yourcompany",
"clientVersion": "1.5.2"
},
"threatInfo": {
"threatTypes": ["MALWARE", "SOCIAL_ENGINEERING"],
"platformTypes": ["ANY_PLATFORM"],
"threatEntryTypes": ["URL"],
"threatEntries": [
{"url": "http://testsafebrowsing.appspot.com/s/phishing.html"}
]
}
}
4. URLScan.io (The Investigator)
Best For: Deep forensics.
It doesn't just check a list; it spins up a headless browser, renders the page, and takes a screenshot.
javascript
// Trigger a scan
const resp = await fetch('https://urlscan.io/api/v1/scan/', {
method: 'POST',
headers: { 'API-Key': 'YOUR_KEY', 'Content-Type': 'application/json' },
body: JSON.stringify({ url: 'http://suspicious-site.com', visibility: 'public' })
});
5. AlienVault OTX (Open Threat Exchange)
Best For: Enterprise Threat Intelligence.
Access massive datasets of "Pulses" (related IOCs).
bash
curl https://otx.alienvault.com/api/v1/indicators/IPv4/8.8.8.8/general
Quick Reference: 11 More APIs to Know
- Scanii: Dedicated file scanning API with Webhooks. Great for S3 processing.
- Metacert: Specialized in distinct classification (Porn, Phishing, Malware).
- Web of Trust (WOT): Reputation data based on crowd-sourced user ratings.
- Opswat MetaDefender: Competitor to VirusTotal with strict privacy implementations.
- Hybrid Analysis: Free sandbox analysis details.
- Urlhaus: Community-driven project from Abuse.ch tracking malware distribution sites.
- PhishTank: Open database of phishing URLs (owned by Cisco Talos).
- Shodan: Search engine for connected devices (scan your own infra).
- GreyNoise: Filter out "Internet Background Noise" to focus on real threats.
- IPQualityScore: Fraud detection + IP reputation.
- ClamAV: Not an API, but the open-source engine you can run locally (often wrapped in a Docker container).
System Design: Building a Secure Upload Pipeline
If you are building an app with file uploads, do not save files directly to the public bucket.
The "Quarantine" Architecture
- Ingest: User uploads file -> Save to
s3://quarantine-bucket(Not public). - Trigger: S3 Event triggers Lambda/Worker function.
- Hash: Calculate SHA-256.
- Lookup: Check VirusTotal API (Free & Fast).
- If Bad: Delete file, ban user.
- If Good/Unknown: Proceed to Step 5.
- Scan: Stream file to Scanii or ClamAV cluster (Deep scan).
- If Bad: Delete file.
- If Good: Move to
s3://public-bucket.
Advertisement
Conclusion
Security is a process, not a product. By stitching these APIs together, you can create a defense mesh that rivals enterprise security products, all with a few lines of code.
Next Steps:
- Integrate AbuseIPDB into your login middleware today.
- Run a
curlcheck on your own domain using VirusTotal.