This is a demonstration microservice designed to show what NOT to do when handling sensitive customer data or deploying across multiple regions.
- Single instance deployment with no failover
- Local SQLite database with no replication
- No use of multiple zones/regions for deployment
- Uses a local SQLite database instead of cloud databases like Azure SQL, Azure Cosmos DB, etc.
- Runs on a standalone server rather than cloud services like Azure App Service
- No use of managed security services
- Hardcoded database credentials directly in code
- No use of environment variables, Azure Key Vault, or encrypted connection strings
- No separation of configuration between environments
- Uses basic print statements instead of a logging framework
- No integration with monitoring services
- No metrics collection or alerting
- No tracing or distributed logging
- Storing sensitive data (SSN, credit card) in plain text
- Returning sensitive data in API responses
- No input validation
- Exposing detailed error information
- No HTTPS
- Python 3.6+
- Clone this repository
- Install dependencies:
pip install -r requirements.txt
python app.py
The service will be available at http://localhost:5000
GET /health- Basic health checkPOST /customers- Add a new customer{ "name": "John Doe", "email": "john@example.com", "ssn": "123-45-6789", "credit_card": "4111111111111111" }GET /customers- Get all customers (with their sensitive data)POST /admin- Admin login{ "username": "admin", "password": "password123" }
This service is FOR DEMONSTRATION PURPOSES ONLY. It intentionally contains serious security flaws and should NEVER be used in a production environment or with real customer data.
The anti-patterns demonstrated here are for educational purposes to show what practices to avoid when building real microservices that handle sensitive data.