The latest articles on DEV Community by Ladipo Samuel (@ladipo_samuel_7cfaa827bf5). https://dev.to/ladipo_samuel_7cfaa827bf5 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1667792%2F9b60d3c4-48b5-4943-a8e1-0c1e2da4b290.jpeg https://dev.to/ladipo_samuel_7cfaa827bf5 en Ladipo Samuel Fri, 03 Apr 2026 19:25:10 +0000 https://dev.to/ladipo_samuel_7cfaa827bf5/testing-api-security-with-cencori-a-case-study-using-insecurepay-2lae https://dev.to/ladipo_samuel_7cfaa827bf5/testing-api-security-with-cencori-a-case-study-using-insecurepay-2lae <p>Before running any security scans, I needed something meaningful to test. So I built <strong>InsecurePay</strong>, a simple payment API designed to mirror real-world payment systems, but intentionally implemented with relaxed security.</p> <p>At its core, InsecurePay handles three main functions:</p> <p>Authentication — a basic login endpoint that returns a token<br> Payments — an endpoint that processes card payments<br> Transactions — an endpoint to view processed payments</p> <p>The project is built with Node.js and Express, and it follows a structure that reflects many real backend systems:</p> <ul> <li>Routes handle incoming requests</li> <li>Controllers manage the business logic</li> <li>A mock database simulates data storage</li> </ul> <p><strong>How InsecurePay Works</strong></p> <p>When a user sends a payment request, the API:</p> <ul> <li>Accepts card details and payment information</li> <li>Simulates processing (no real payment gateway is used)</li> <li>Stores the transaction</li> <li>Returns a response containing the transaction details</li> </ul> <p>At first glance, everything works as expected. You can log in, make a payment, and receive a successful response.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h3ry87e6w4gxx6p6ftg.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2h3ry87e6w4gxx6p6ftg.png" alt=" " width="800" height="342"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4r95ewyqlsq4h4qrns33.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4r95ewyqlsq4h4qrns33.png" alt=" " width="800" height="259"></a></p> <p>However, despite being functional, the API had some serious security concerns:</p> <ul> <li>Sensitive data like card numbers and CVV were exposed in responses</li> <li>Secrets were hardcoded directly into the codebase</li> <li>Critical routes, such as payments, lacked proper protection</li> <li>Logging exposed more information than necessary</li> </ul> <p>None of these issues broke the application, but they violated basic security expectations. That was intentional.</p> <p>InsecurePay wasn’t designed to be perfect. It was built to reflect real-world flaws so they could be identified and addressed.</p> <p>At this point, I had a working API, but I already knew it wasn’t secure. So I decided to test it using <strong>Cencori Scan</strong>, an AI-powered tool that detects security issues in codebases and suggests fixes. It can identify hardcoded secrets such as API keys and passwords, flag PII leaks like emails and card details, and detect vulnerable routes and unsafe coding practices.</p> <p>The goal was simple: could this tool detect real vulnerabilities in my project, and more importantly, help fix them?</p> <p>I ran the scan using:</p> <p>npx @cencori/scan</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fisvxb93ha4ybdvqlyfwy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fisvxb93ha4ybdvqlyfwy.png" alt=" " width="427" height="449"></a></p> <p>Results from the Scan</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57bfmi29eikm6fu2x2ai.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57bfmi29eikm6fu2x2ai.png" alt=" " width="800" height="434"></a></p> <p>Cencori flagged several critical issues:</p> <p>Secrets in code — API keys and passwords were hardcoded<br> PII exposure — card numbers, CVV, and emails were returned in responses<br> Unprotected routes — sensitive endpoints lacked proper authorization checks<br> Unsafe logging — request payloads exposed sensitive information</p> <p>While nothing broke, the security posture of the application was clearly weak.</p> <p><strong>Fixing the Issues with Cencori</strong></p> <p>I enabled Cencori’s auto-fix feature to address the problems more efficiently. To use Cencori Scan, you follow these steps:</p> <p>Step 1: Get an API key</p> <p>I generated a free API key from the dashboard and added it to my environment:</p> <p>$env:CENCORI_API_KEY="your_api_key_here"</p> <p>Step 2: Run auto-fix</p> <p>npx @cencori/scan --fix</p> <p>Cencori then analyzed each issue, suggested fixes, and updated parts of the code automatically.</p> <p><strong>What Changed?</strong></p> <p>After reviewing the results, I made several important improvements:</p> <p>Moved secrets out of the codebase<br> Added token-based protection to secure sensitive routes<br> Removed sensitive fields such as card numbers and CVV from API responses<br> Cleaned up unsafe logging practices</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl320a0p23xx5wy3x1gak.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fl320a0p23xx5wy3x1gak.png" alt=" " width="800" height="239"></a></p> <p>Some fixes were applied automatically, while others required careful review and manual adjustments, which is expected when working with security-critical systems.</p> <p>If you’re a developer who relies on AI to generate or automate parts of your code, tools like this become even more important. Cencori helps ensure that what gets produced isn’t just functional, but also secure. It acts as a safety layer, catching issues like exposed secrets, data leaks, and weak access controls before they make it into production.</p> <p>In a world where speed is becoming easier with AI, security should not be an afterthought. Cencori helps you maintain that balance between building fast and building safely.</p> <p>You can test it in your own project here:<br> <a href="https://cencori.com/" rel="noopener noreferrer">https://cencori.com/</a></p> <p>You can also explore the InsecurePay project here:<br> <a href="https://github.com/ladicodes/InsecurePay-API" rel="noopener noreferrer">https://github.com/ladicodes/InsecurePay-API</a></p> ai backenddevelopment