Security Misconfiguration in Fastapi
How Security Misconfiguration Manifests in Fastapi
Security misconfiguration in Fastapi applications often stems from default settings, missing middleware, and improper dependency injection. One common manifestation is the exposure of debug mode in production. When debug=True is enabled, Fastapi (via Starlette) provides detailed error pages with stack traces, environment variables, and internal server paths. This information becomes a goldmine for attackers during reconnaissance.
Fastapi-Specific Detection
Detecting security misconfigurations in Fastapi requires both static analysis and runtime scanning. The middleBrick scanner specifically targets Fastapi's unique characteristics through its black-box scanning approach. For misconfiguration detection, middleBrick examines several Fastapi-specific patterns:
Debug Mode Detection: middleBrick attempts to trigger error conditions that would reveal debug mode status. By sending malformed requests and analyzing response headers, it can detect whether Fastapi is running with debug enabled, which would expose detailed error pages.
CORS Policy Analysis: The scanner tests CORS configurations by making cross-origin requests from different domains and analyzing the Access-Control-Allow-Origin headers. It identifies overly permissive settings like wildcard origins or credentials allowed with public access.
Middleware Security Assessment: middleBrick evaluates the effectiveness of security middleware by testing request flows. For example, it verifies whether HTTPS redirection occurs before other middleware processes requests, and whether trusted host validation properly restricts access.
OpenAPI Documentation Exposure: The scanner automatically discovers and analyzes Fastapi's auto-generated documentation endpoints (/docs, /redoc, OpenAPI JSON). It checks whether these are accessible without authentication and whether they expose sensitive endpoint descriptions or parameter details.
Exception Handling Analysis: By inducing various error conditions (invalid JSON, missing parameters, database connection failures), middleBrick examines error responses for sensitive data leakage, including stack traces, database queries, or internal system information.
Environment Configuration Testing: The scanner probes for environment-specific behaviors by examining response variations, header information, and error message content that might indicate development vs production configurations.
Using middleBrick for Fastapi misconfiguration scanning:
# Install middleBrick CLI
npm install -g middlebrick
# Scan a Fastapi endpoint
middlebrick scan https://api.example.com --output json
# Scan with GitHub Action
- name: FastAPI Security Scan
uses: middlebrick/middlebrick-action@v1
with:
url: https://api.example.com
fail-on-severity: high
The scanner provides Fastapi-specific findings with severity levels and remediation guidance. For instance, it might detect that your Fastapi application is exposing debug information with a critical severity finding, or that CORS policies are overly permissive with a high severity rating.
middleBrick's OpenAPI analysis is particularly valuable for Fastapi applications since it can cross-reference your actual running API with the generated OpenAPI specification, identifying discrepancies between documented and implemented security controls.
Fastapi-Specific Remediation
Remediating security misconfigurations in Fastapi requires leveraging the framework's built-in features and following security best practices. Here are Fastapi-specific fixes for common misconfigurations:
Debug Mode Configuration: Always disable debug mode in production using environment-based configuration:
import os
from fastapi import FastAPI
DEBUG = os.getenv("DEBUG", "false").lower() == "true"
app = FastAPI(debug=DEBUG)
# In production, set DEBUG=false in your environment
# Alternatively, use pydantic settings for better configuration management
from pydantic_settings import BaseSettings
class Settings(BaseSettings):
debug: bool = False
class Config:
env_file = ".env"
settings = Settings()
app = FastAPI(debug=settings.debug)
Secure CORS Configuration: Implement restrictive CORS policies that only allow specific origins:
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
CORSMiddleware,
allow_origins=["https://yourdomain.com"], # Specific origins only
allow_credentials=False, # Don't allow credentials unless necessary
allow_methods=["GET", "POST", "PUT", "DELETE"], # Only needed methods
allow_headers=["Content-Type", "Authorization"] # Only required headers
)
Proper Middleware Ordering: Ensure security middleware executes first:
from fastapi import FastAPI
from fastapi.middleware.httpsredirect import HTTPSRedirectMiddleware
from fastapi.middleware.trustedhost import TrustedHostMiddleware
from fastapi.middleware.proxy import ProxyHeadersMiddleware
app = FastAPI()
# Security middleware first
app.add_middleware(HTTPSRedirectMiddleware)
app.add_middleware(TrustedHostMiddleware, allowed_hosts=["api.example.com"])
app.add_middleware(ProxyHeadersMiddleware)
# Application middleware after security checks
app.add_middleware(MyCustomMiddleware)
Secure Exception Handling: Implement custom exception handlers that don't leak information:
from fastapi import FastAPI, HTTPException
from fastapi.responses import JSONResponse
import logging
logger = logging.getLogger(__name__)
@app.exception_handler(Exception)
async def custom_exception_handler(request, exc):
# Log the full exception internally
logger.error(f"Unhandled exception: {exc}", exc_info=True)
# Return generic error to client
return JSONResponse(
status_code=500,
content={"detail": "Internal server error"}
)
@app.exception_handler(HTTPException)
async def http_exception_handler(request, exc):
# For HTTP exceptions, return the status code but generic message
return JSONResponse(
status_code=exc.status_code,
content={"detail": "Request processing failed"}
)
OpenAPI Documentation Protection: Secure or disable auto-documentation in production:
from fastapi import FastAPI, Depends
from fastapi.security import APIKeyHeader
# Require API key for docs
api_key = APIKeyHeader(name="x-api-key", schema_extra={"description": "API key for docs access"})
def get_api_key(x_api_key: str = Depends(api_key)):
if x_api_key != os.getenv("DOCS_API_KEY"):
raise HTTPException(status_code=401, detail="Invalid API key")
return x_api_key
# Protect docs with dependency
app = FastAPI(docs_auth=[Depends(get_api_key)])
# Alternative: disable docs in production
if settings.debug:
app = FastAPI(docs_url="/docs", redoc_url="/redoc")
else:
app = FastAPI(docs_url=None, redoc_url=None)
Environment-Specific Configuration: Use Pydantic Settings for secure configuration management:
from pydantic_settings import BaseSettings
from pathlib import Path
class DatabaseSettings(BaseSettings):
host: str = "localhost"
port: int = 5432
username: str
password: str
class Config:
env_file = ".env"
env_file_encoding = "utf-8"
db_settings = DatabaseSettings()
def get_db_engine():
# Use settings from environment, never hardcoded
return create_engine(
f"postgresql://{db_settings.username}:{db_settings.password}@{db_settings.host}:{db_settings.port}/mydb"
)
Security Headers Middleware: Add security headers to prevent common attacks:
from fastapi import FastAPI
from fastapi.middleware import Middleware
from fastapi.middleware.securityheaders import SecurityHeadersMiddleware
app = FastAPI(middleware=[
Middleware(SecurityHeadersMiddleware, default_src="'self'")
])
Frequently Asked Questions
How can I tell if my Fastapi application has security misconfigurations?
The most reliable way is to use a security scanner like middleBrick that specifically tests for Fastapi misconfigurations. You can also manually check for common issues: ensure debug mode is disabled in production, verify CORS policies are restrictive, confirm middleware is ordered correctly with security checks first, and test whether OpenAPI documentation is accessible without authentication. Look for hardcoded credentials, overly verbose error messages, and missing security headers in your application's responses.
What's the biggest security misconfiguration risk in Fastapi applications?
Debug mode enabled in production is often the most critical misconfiguration because it exposes detailed error pages with stack traces, environment variables, and internal system paths. This information gives attackers valuable insights for crafting targeted attacks. Another major risk is overly permissive CORS policies that allow any origin to access your API with credentials. Both issues are easily detectable with automated scanning and simple to fix with proper configuration management.