APIsec for FastAPI

FastAPI projects often rely on automatic route generation and dependency injection. APIsec parses the application structure to identify route handlers, dependency chains, and explicit security schemes. The scanner checks whether security dependencies are applied at the correct scope, whether global security schemes override route-specific intentions, and whether optional authentication is used where mandatory checks are expected. Findings highlight mismatches between declared OpenAPI security requirements and the actual decorators used in your path operations.

middleBrick maps findings to three frameworks: PCI-DSS 4.0, SOC 2 Type II, and OWASP API Top 10 (2023). Controls related to authentication, session management, and input validation are evaluated against these references. For PCI-DSS 4.0, the scanner checks for clear separation of authentication and authorization paths and proper handling of cardholder data exposure surfaces. For SOC 2 Type II, it reviews access control configurations and auditability of security-related events. OWASP API Top 10 coverage focuses on the twelve categories supported by the scanner, ensuring each relevant control is exercised where the API surface permits.

Authenticated scans increase coverage of protected endpoints. To enable this mode, you must provide a valid Bearer token, API key, Basic credential, or session cookie. Domain verification is enforced through a DNS TXT record or an HTTP well-known file that must be accessible at the domain root. Only a restricted set of headers is forwarded: Authorization, X-API-Key, Cookie, and headers prefixed with X-Custom-. This ensures credentials are not leaked to unrelated services while allowing the scanner to exercise authenticated workflows defined in FastAPI dependencies.

FastAPI features such as nested routers, custom exception handlers, and automatic schema generation can obscure misconfigurations. APIsec detects when global CORS policies are overly permissive, when debug endpoints remain reachable in production-like paths, and when security schemes are declared but not enforced on all methods. The scanner identifies JWT misconfigurations common in token-based setups, including weak algorithm usage and missing claim validation. Where business logic determines access, the tool surfaces over-exposed properties and highlights fields that should be withheld from certain roles.

Findings include prioritized risk scores and step-by-step guidance rather than automated fixes. For example, if an endpoint lacks required scope enforcement, the report shows the exact security dependency configuration needed in your FastAPI route or dependency function. For CORS issues, you receive concrete examples of strict origin definitions and credential settings. You can rerun the scan after changes to verify that new findings do not appear and that existing items move toward resolved status.

• Use explicit dependencies for each route that requires authentication.
• Define precise CORS origins and avoid wildcard credentials.
• Validate JWT algorithms and required claims in token verification logic.
• Limit response fields to the minimum necessary for each role.