DEV Community: Gabriel Maheu The latest articles on DEV Community by Gabriel Maheu (@cyphernet). https://dev.to/cyphernet https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3906455%2Ff7bdb857-ad73-45cb-a02a-11dff347517b.png DEV Community: Gabriel Maheu https://dev.to/cyphernet en Files pass validation… then break in production Gabriel Maheu Thu, 30 Apr 2026 16:48:35 +0000 https://dev.to/cyphernet/files-pass-validation-then-break-in-production-54m1 https://dev.to/cyphernet/files-pass-validation-then-break-in-production-54m1 <p>Most upload pipelines check file type and size — and assume the file is safe.</p> <p>But that’s exactly where things go wrong.</p> <p>Real issues often show up later — when files are actually used.</p> <ul> <li>malware hidden in uploads</li> <li>exposed API keys in config files</li> <li>payloads that look valid but break at runtime</li> </ul> <p>The problem isn’t validation.</p> <p>It’s <strong>when</strong> validation happens.</p> <h2> The gap </h2> <p>Files are trusted too early.</p> <p>By the time something breaks, it’s already in production.</p> <h2> What I built </h2> <p>I built a Strapi plugin that scans files <strong>right after upload</strong>, before they’re ever used.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Upload → Scan → Verdict </code></pre> </div> <p>Right after upload — before anything touches production.</p> <p>Instead of trusting files based on format, it checks what’s actually inside.</p> <h2> What it catches </h2> <p>It catches malware, exposed secrets, and unsafe payloads — including issues that pass validation but fail later at runtime.</p> <h2> Links </h2> <p>GitHub: <a href="https://github.com/cyphernetsecurity/cypherscan-strapi" rel="noopener noreferrer">https://github.com/cyphernetsecurity/cypherscan-strapi</a><br><br> npm: <a href="https://www.npmjs.com/package/strapi-plugin-cypherscan" rel="noopener noreferrer">https://www.npmjs.com/package/strapi-plugin-cypherscan</a><br><br> Demo: <a href="https://youtu.be/zRk-9Es7mwA" rel="noopener noreferrer">https://youtu.be/zRk-9Es7mwA</a> </p> <p>How are you handling file validation today?</p> <p>At upload — or only when things break?</p> security webdev node programming