Fastapi API Security

Scan your fastapi API

Fastapi Security Posture

Fastapi's design philosophy prioritizes developer productivity and type safety, which creates a mixed security posture out of the box. The framework's automatic request validation and dependency injection system reduce common injection vulnerabilities, but several default configurations leave APIs exposed to real-world attacks.

Fastapi's automatic JSON schema generation and Pydantic model validation provide strong input validation by default, preventing many malformed request attacks. The async-first architecture also reduces certain timing-based vulnerabilities. However, Fastapi's permissive CORS defaults, lack of built-in rate limiting, and minimal authentication scaffolding mean developers must actively secure their APIs.

The framework's reflection capabilities (auto-generating OpenAPI specs) can inadvertently expose sensitive endpoint information if not properly configured. Fastapi's dependency injection system, while powerful, can create BOLA (Broken Object Level Authorization) vulnerabilities when developers incorrectly scope database queries or fail to validate user permissions against resource ownership.

Top 5 Security Pitfalls in Fastapi

1. BOLA via Incorrect Dependency Injection
Fastapi's dependency injection makes it easy to accidentally expose data across user boundaries. A common pattern:

@app.get('/items/{item_id}')
def read_item(item_id: int, db: Database = Depends(get_db)):
    item = db.fetch_item(item_id)  # No user context!
    return item

This allows any authenticated user to access any item. The fix requires passing the authenticated user into dependencies and validating ownership.

2. Exposed OpenAPI/Swagger Documentation
Fastapi auto-generates OpenAPI specs accessible at /docs and /openapi.json by default. In production, this can reveal:

  • Internal endpoint structures
  • Request/response schemas with sensitive field names
  • Authentication mechanisms being used

3. Missing Rate Limiting
Fastapi provides no built-in rate limiting. Without it, APIs are vulnerable to:

  • Brute force authentication attacks
  • API abuse and cost escalation
  • Denial of service via resource exhaustion

4. Insecure CORS Configuration
Fastapi's CORSMiddleware defaults to allowing all origins when misconfigured:

app.add_middleware(
    CORSMiddleware,
    allow_origins=['*'],  # Don't do this in production!
    allow_credentials=True,
    allow_methods=['*'],
    allow_headers=['*']
)

5. Debug Mode in Production
Running with debug=True exposes:

  • Interactive traceback pages with stack traces
  • REPL console access on error pages
  • Detailed framework information to attackers

Security Hardening Checklist

Authentication & Authorization
Implement proper dependency injection with user context:

async def get_current_user(token: str = Depends(oauth2_scheme)):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail='Could not validate credentials',
        headers={'WWW-Authenticate': 'Bearer'}
    )
    return credentials_exception

Always validate resource ownership:

@app.get('/items/{item_id}')
async def read_item(
    item_id: int,
    current_user: User = Depends(get_current_user),
    db: Database = Depends(get_db)
):
    item = await db.fetch_item_by_user(item_id, current_user.id)
    if not item:
        raise HTTPException(status_code=404, detail='Item not found')
    return item

Production Hardening
Secure your OpenAPI exposure:

app = FastAPI(docs_url=None, openapi_url=None)  # Disable in production

Implement rate limiting with middleware:

class RateLimitMiddleware:
    async def __call__(self, request: Request, call_next):
        # Implement Redis-based rate limiting
        pass

Input Validation & Security Headers
Leverage Pydantic's strict mode:

from pydantic import BaseModel, Field

class ItemCreate(BaseModel):
    name: str = Field(..., min_length=1, max_length=100)
    price: float = Field(..., ge=0.0)
    description: str = Field(None, max_length=500)

Add security headers middleware:

from fastapi.middleware import SecureHeadersMiddleware
app.add_middleware(SecureHeadersMiddleware)
Scan your fastapi API See fastapi vulnerabilities

Frequently Asked Questions

How can I scan my Fastapi API for security vulnerabilities?
middleBrick provides instant security scanning for Fastapi APIs without any setup. Simply paste your API URL into the dashboard or use the CLI tool: middlebrick scan https://your-api.com. The scanner tests for Fastapi-specific vulnerabilities like BOLA through dependency injection analysis, exposed OpenAPI documentation, and missing authentication scaffolding. Results include a letter grade (A-F) with prioritized findings and remediation guidance.
Does Fastapi's automatic OpenAPI generation create security risks?
Yes, Fastapi's default OpenAPI exposure at /docs and /openapi.json can reveal your API's structure, authentication methods, and data models to attackers. In production, disable these endpoints with docs_url=None, openapi_url=None when creating your FastAPI app. middleBrick specifically tests for exposed documentation as part of its inventory management checks and flags this as a medium severity finding.
How do I prevent BOLA vulnerabilities in Fastapi dependency injection?
BOLA vulnerabilities occur when Fastapi dependencies don't properly scope data to the authenticated user. Always inject the current user into your dependencies and validate resource ownership. For example, instead of querying by ID alone, query by both ID and user_id. middleBrick's BOLA scanning specifically tests for these authorization gaps by attempting to access resources across different user contexts to identify missing ownership validation.