Before running any security scans, I needed something meaningful to test. So I built InsecurePay, a simple payment API designed to mirror real-world payment systems, but intentionally implemented with relaxed security.
At its core, InsecurePay handles three main functions:
Authentication — a basic login endpoint that returns a token
Payments — an endpoint that processes card payments
Transactions — an endpoint to view processed payments
The project is built with Node.js and Express, and it follows a structure that reflects many real backend systems:
- Routes handle incoming requests
- Controllers manage the business logic
- A mock database simulates data storage
How InsecurePay Works
When a user sends a payment request, the API:
- Accepts card details and payment information
- Simulates processing (no real payment gateway is used)
- Stores the transaction
- Returns a response containing the transaction details
At first glance, everything works as expected. You can log in, make a payment, and receive a successful response.
However, despite being functional, the API had some serious security concerns:
- Sensitive data like card numbers and CVV were exposed in responses
- Secrets were hardcoded directly into the codebase
- Critical routes, such as payments, lacked proper protection
- Logging exposed more information than necessary
None of these issues broke the application, but they violated basic security expectations. That was intentional.
InsecurePay wasn’t designed to be perfect. It was built to reflect real-world flaws so they could be identified and addressed.
At this point, I had a working API, but I already knew it wasn’t secure. So I decided to test it using Cencori Scan, an AI-powered tool that detects security issues in codebases and suggests fixes. It can identify hardcoded secrets such as API keys and passwords, flag PII leaks like emails and card details, and detect vulnerable routes and unsafe coding practices.
The goal was simple: could this tool detect real vulnerabilities in my project, and more importantly, help fix them?
I ran the scan using:
npx @cencori/scan
Results from the Scan
Cencori flagged several critical issues:
Secrets in code — API keys and passwords were hardcoded
PII exposure — card numbers, CVV, and emails were returned in responses
Unprotected routes — sensitive endpoints lacked proper authorization checks
Unsafe logging — request payloads exposed sensitive information
While nothing broke, the security posture of the application was clearly weak.
Fixing the Issues with Cencori
I enabled Cencori’s auto-fix feature to address the problems more efficiently. To use Cencori Scan, you follow these steps:
Step 1: Get an API key
I generated a free API key from the dashboard and added it to my environment:
$env:CENCORI_API_KEY="your_api_key_here"
Step 2: Run auto-fix
npx @cencori/scan --fix
Cencori then analyzed each issue, suggested fixes, and updated parts of the code automatically.
What Changed?
After reviewing the results, I made several important improvements:
Moved secrets out of the codebase
Added token-based protection to secure sensitive routes
Removed sensitive fields such as card numbers and CVV from API responses
Cleaned up unsafe logging practices
Some fixes were applied automatically, while others required careful review and manual adjustments, which is expected when working with security-critical systems.
If you’re a developer who relies on AI to generate or automate parts of your code, tools like this become even more important. Cencori helps ensure that what gets produced isn’t just functional, but also secure. It acts as a safety layer, catching issues like exposed secrets, data leaks, and weak access controls before they make it into production.
In a world where speed is becoming easier with AI, security should not be an afterthought. Cencori helps you maintain that balance between building fast and building safely.
You can test it in your own project here:
https://cencori.com/
You can also explore the InsecurePay project here:
https://github.com/ladicodes/InsecurePay-API
Top comments (2)
Lovely stuff. As someone who uses Claide Code a lot, Cencori Scan looks like something I'd need. I try to make Claude look through the codebase to perform security audits and reviews but it's always best to have fresh eyes look for issues issues may be lurking around.
exactly! Glad that you love it!