DEV Community

LERUfic
LERUfic

Posted on

Stop Blind-CURLing in Production: How I Built an Audit Layer for API Operations

#devops #security #opensource #api

If you’ve ever worked in Fintech, you know the feeling. It’s 2:00 PM on a Tuesday, and a production sync has failed. A developer needs to manually trigger a Stripe webhook or hit an internal reconciliation endpoint.

In most places, this involves someone opening a terminal, pasting a curl command with a production secret, and hitting enter.

As a DevOps, this keeps me up at night.

Who executed that? What exactly was in the JSON body? Did anyone double-check the URL search params? In a world of SOC2 compliance and strict financial audits, “trust me, I ran the right command” isn’t an answer.

That’s why I built Heimdall.

The Problem: The “Wild West” of Production CURLs

Developers need to do HTTP requests at production. It’s a fact of life. But terminal history is easily lost, and there is zero “Human-in-the-Loop” validation.

In Fintech, every state-changing request needs four eyes. One to request, and one to approve.

I needed a tool that:

  1. Separated Duties: Developers can draft requests, but only designated Approvers can click “Execute.”
  2. Logged Everything: A permanent, uneditable audit trail of every header, param, and response payload.
  3. Used Enterprise Identity: No “admin/admin” logins. It had to speak LDAP/Active Directory or SSO out of the box.

Introducing Heimdall: The Gatekeeper

Heimdall isn't just an API client; it's a Governance Layer.

Built with Next.js 16 and Prisma, it acts as a centralized dashboard where your team can manage production API operations without ever touching a terminal.

🛠 The Workflow

  1. The Request: A developer (Requester) builds the request—Method, URL, Headers, and Body. They can even save it as a "Template" for common tasks like "User Password Reset" or "Force Cache Purge."
  2. The Review: An Approver resets the dashboard. They see the pending request, verify the parameters, and check for any security red flags.
  3. The Execution: Once approved, the platform executes the request from within the secure network environment.
  4. The Audit: The system logs the latency, the status code, and the full raw response for future debugging or compliance reviews.

The Tech Behind the Tool

I wanted this to be easy to deploy but powerful enough for me.

  1. Unified Identity: I integrated a dual-mode Auth engine. Whether your company uses legacy Active Directory/LDAP or modern OIDC (Google/Okta), Heimdall just works.
  2. Database Portability: It starts with zero-config SQLite, but supports MySQL and PostgreSQL for production scale.
  3. Audit-First Logging: Logs are flattened into structured JSON strings, making them natively compatible with Datadog, ELK, or CloudWatch.

Closing Thoughts

I built this tool because I needed to audit every curl my developers were doing. It has turned “stressful production hacks” into a “transparent, reviewed workflow.”

If you’re struggling with compliance or just want a safer way for your team to handle production API operations, I hope Heimdall can help you too.

Check it out on GitHub: https://github.com/LERUfic/Heimdall

Docker Hub: https://hub.docker.com/r/lerufic/heimdall

You can checkout the demo here: https://heimdall-demo.lerufic.com

  • Requester: 
username: requester1
password: password
Enter fullscreen mode Exit fullscreen mode
  • Admin: 
username: admin1
password: password
Enter fullscreen mode Exit fullscreen mode

I’d love to hear your feedback!

Top comments (0)