BuyCarCheck — our UK vehicle checking and data aggregation platform — has completed its first formal security audit. Here's a high-level look at what was covered.
Background
BuyCarCheck (BCC) handles real user data: vehicle lookup history, payment sessions, and analytics. Before the platform scales further, we wanted a documented security baseline — a first sweep across the entire stack to understand where things stand.
This was that sweep.
What Was Audited
Rate limiting
All externally callable BuyCarCheck endpoints — vehicle checks, checkout, and the admin surface — are rate-limited at both the edge and application layer independently. Burst and sustained request patterns were tested.
Input validation
Every user-supplied input into BuyCarCheck — registration plates, email addresses, image data — is validated server-side via strict schema enforcement before any downstream API call or database write occurs. Malformed and adversarial input was tested at each boundary.
Authentication & sessions
The BuyCarCheck admin surface uses hashed credentials, session cookies with strict browser flags (HttpOnly, Secure, SameSite), and progressive lockout on repeated failed login attempts.
Payment integrity
BuyCarCheck's Stripe integration verifies webhook authenticity cryptographically on every payment event. Credit writes use atomic checks to prevent race-condition exploits under concurrent requests.
Unit & Integration Testing
Unit tests were written and run across BuyCarCheck's core logic — validation rules, rate limit behaviour, and session handling. Integration tests were run against the live API routes end-to-end, including the full Stripe payment flow: checkout session creation, webhook delivery, signature verification, and credit write confirmation. Edge cases — duplicate webhooks, concurrent requests, and malformed payloads — were exercised as part of the integration suite.
Database & Infrastructure
BuyCarCheck's database credentials with elevated permissions are kept strictly server-side — never bundled into client code or exposed via public endpoints. Sensitive queries are isolated behind a private schema. Concurrent operations on user credit balances are protected against race conditions via optimistic locking.
CORS is enforced via an origin whitelist across all BuyCarCheck payment and check endpoints, with validation that blocks domain-suffix spoofing.
Bot & Request Filtering
Suspicious requests hitting BuyCarCheck are logged and filtered at the proxy layer before any application logic runs. Known scanner patterns — path traversal probes, credential stuffing signatures, vulnerability scanners — are caught before they reach route handlers.
Data Privacy
BuyCarCheck collects minimal analytics: page, country, device type, and referral source. IP addresses are automatically nullified after 30 days via a scheduled cron job — no IP data is retained beyond that window.
“No critical vulnerabilities. No data exposure. All findings closed before launch.”
Findings
The audit returned no critical vulnerabilities. A small number of low-severity observations were identified and resolved before this post was published — none were publicly exploitable, and none involved user data.
We won't be detailing specific findings. Publishing what was and wasn't flagged hands unnecessary signal to anyone probing the surface. The outcome was clean and we're satisfied with BuyCarCheck's current security posture.
What's Next
Security reviews are now a recurring part of the BuyCarCheck release cycle. Deeper, targeted reviews on individual surfaces will follow as the platform grows. Every new zoopbyte product will go through its own dedicated review before launch.
We'll publish brief updates here as each review completes.