askill
security-fastapi

security-fastapiSafety 100Repository

Review FastAPI security audit patterns for dependencies and middleware. Use for auditing auth dependencies, CORS configuration, and TrustedHost middleware. Use proactively when reviewing FastAPI apps. Examples: - user: "Audit FastAPI route security" → check for Depends() and Security() usage - user: "Check FastAPI CORS setup" → verify origins when allow_credentials=True - user: "Review FastAPI middleware" → check TrustedHost and HTTPSRedirect config - user: "Secure FastAPI API keys" → move from query params to header schemes - user: "Scan for FastAPI footguns" → check starlette integration and dependency order

security-fastapijustinlevinedotme
6 stars
1.2k downloads
Updated 1/31/2026

Package Files

Loading files...
SKILL.md

Security audit patterns for FastAPI applications covering authentication dependencies, CORS configuration, and middleware security.

Core Risks to Check

Missing Auth on Routes

FastAPI expects authentication/authorization via dependencies on routes or routers. If no Depends()/Security() usage exists, MUST review every route for unintended public access.

from fastapi import Depends, Security

@app.get("/private")
async def private_route(user=Depends(get_current_user)):
    return {"ok": True}

@app.get("/scoped")
async def scoped_route(user=Security(get_current_user, scopes=["items"])):
    return {"ok": True}

All sensitive routes MUST require Depends() or Security() auth dependencies.

API Key Schemes

If using API keys, SHOULD prefer header-based schemes (APIKeyHeader). MUST validate the key server-side.

from fastapi import Depends, FastAPI
from fastapi.security import APIKeyHeader

api_key = APIKeyHeader(name="x-api-key")

@app.get("/items")
async def read_items(key: str = Depends(api_key)):
    return {"key": key}

CORS: Avoid Wildcards with Credentials

Using allow_origins=["*"] excludes credentialed requests (cookies/Authorization). For authenticated browser clients, MUST explicitly list allowed origins.

from fastapi.middleware.cors import CORSMiddleware

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://app.example.com"],  # MUST be explicit
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

MUST NOT use allow_origins=["*"] with allow_credentials=True.

Host Header and HTTPS Enforcement

SHOULD use Starlette middleware to prevent host-header attacks. SHOULD enforce HTTPS in production.

from starlette.middleware.trustedhost import TrustedHostMiddleware
from starlette.middleware.httpsredirect import HTTPSRedirectMiddleware

app.add_middleware(TrustedHostMiddleware, allowed_hosts=["example.com", "*.example.com"])
app.add_middleware(HTTPSRedirectMiddleware)

Quick Audit Commands

# Detect FastAPI usage
rg -n "fastapi" pyproject.toml requirements*.txt

# Find routes
rg -n "@app\.(get|post|put|patch|delete)" . -g "*.py"

# Check for auth dependencies
rg -n "Depends\(|Security\(" . -g "*.py"

# CORS config and wildcards
rg -n "CORSMiddleware|allow_origins|allow_credentials" . -g "*.py"

# TrustedHost/HTTPS middleware
rg -n "TrustedHostMiddleware|HTTPSRedirectMiddleware" . -g "*.py"

Hardening Checklist

  • All sensitive routes MUST require Depends() or Security() auth dependencies
  • API key schemes SHOULD use headers (APIKeyHeader), not query params
  • allow_origins MUST be explicit when allow_credentials=True
  • TrustedHostMiddleware SHOULD be configured for production domains
  • HTTPSRedirectMiddleware SHOULD be enabled in production (or enforced by proxy)

Scripts

  • scripts/scan.sh - First-pass FastAPI security scan

Install

Download ZIP
Requires askill CLI v1.0+

AI Quality Score

92/100Analyzed 2/13/2026

A high-quality, actionable security guide for FastAPI applications containing specific code patterns, audit commands, and a hardening checklist. It effectively combines educational content with practical verification steps.

100
95
90
90
95

Metadata

Licenseunknown
Version-
Updated1/31/2026
Publisherjustinlevinedotme

Tags

apisecurity