API Key Migration to Header + Search Performance Boost
Released October 2, 2025
This release introduces several important improvements to the Vulners public API focused on security hardening, performance, and reliability of high-volume search workflows.
1. API Key Now Accepted Only via x-api-key Header
Passing the API key via query parameter (?apiKey=…) is officially deprecated and disabled.
Rationale
- Prevents accidental key exposure in server logs, browser history, and referrer headers
- Aligns with OWASP API Security Top 10 recommendations
- Simplifies compliance with enterprise proxy and WAF policies
Migration example (before → after)
# Old (deprecated)
curl "https://vulners.com/api/v3/search/lucene/?query=type:cve&apiKey=YOUR_KEY"
# New (required)
curl -H "x-api-key: YOUR_KEY" \
"https://vulners.com/api/v3/search/lucene/?query=type:cve"
2. Search API Performance Increased by Up to 40%
It was re-engineered the internal indexing pipeline and introduced multi-layer caching:
- Hot-path queries now served from in-memory cache when possible
- Lucene query planner optimizations for common vulnerability filters
Real-world benchmarks show average latency drop from ~420 ms to ~250 ms on complex queries containing type:, bulletinFamily:, and cvss.score: filters.
3. Pagination Fixes in /api/v3/search/lucene/
Resolved long-standing issues affecting bulk exports:
- Fixed cursor drift when using
size> 500 with sorting - Corrected total hits count in deep pagination (> 10 000 results)
- Stabilized
searchAfterbehavior across cluster restarts
Large-scale exports and continuous sync tools are now reliable and consistent.
4. Documentation & SDK Updates
- All code examples updated to use header-based authentication
- Python SDK with built-in header support
Documentation: https://beta.vulners.com/docs/api/ Python SDK: https://github.com/vulnersCom/api-python