← ClaudeAtlas

fastapi-securitylisted

Security audit for FastAPI applications including dependency injection for auth, Pydantic schemas for input/output, OAuth2 scopes, async endpoint patterns, CORS middleware, SQL injection via SQLAlchemy raw queries, Starlette middleware, and FastAPI-specific patterns. Use this skill whenever the user mentions FastAPI, Pydantic, Starlette, OAuth2PasswordBearer, Depends, APIRouter, fastapi-users, SQLAlchemy in FastAPI, or asks "audit my FastAPI app", "FastAPI security review", "Pydantic safe". Trigger when the codebase contains `fastapi` in `requirements.txt` / `pyproject.toml`.
hlsitechio/claude-skills-security · ★ 1 · API & Backend · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# FastAPI Security Audit Audit FastAPI applications. FastAPI sits on Starlette + Pydantic — secure defaults are good, but custom code often bypasses them. ## When this skill applies - Reviewing FastAPI endpoints, dependencies, Pydantic models - Auditing OAuth2 / JWT / API key auth flows - Reviewing CORS, middleware, exception handlers - Checking SQLAlchemy / SQLModel usage for SQL injection - Reviewing async patterns for race conditions ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E '^fastapi|"fastapi"' requirements.txt pyproject.toml 2>/dev/null python -c "import fastapi; print(fastapi.__version__)" 2>/dev/null ``` ### Phase 2: Inventory ```bash # Route definitions grep -rn '@app\.\|@router\.' . --include='*.py' | head -50 # Dependencies (DI) grep -rn 'Depends(' . --include='*.py' | head -30 # Pydantic models (schemas) grep -rn 'class .*BaseModel\|class .*pydantic' . --include='*.py' | head # CORS / middleware grep -rn 'add_middleware\|CORSMiddleware\|TrustedHostMiddleware' . --include='*.py' # Raw SQL grep -rn 'text(\|execute(\|raw_connection' . --include='*.py' ``` ### Phase 3: Detection — the checks #### Pydantic schemas — input validation - **FAP-PYD-1** Endpoints accepting request bodies declare a Pydantic model — never `request: dict` or `request: Any`. - **FAP-PYD-2** Field constraints set: `Field(min_length=..., max_length=..., gt=..., lt=...)`. - **FAP-PYD-3** `model_config = ConfigDict(extra='forbid')