CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/fastapi-security-basics

Security defaults that belong in every FastAPI application from day one.

93

7.00x
Quality

90%

Does it follow best practices?

Impact

98%

7.00x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Evaluation results

100%

70%

Community Forum API

Criteria
Without context
With context

No wildcard CORS origin

100%

100%

CORS origins from env var

100%

100%

Explicit allow_methods

0%

100%

allow_credentials not with wildcard

100%

100%

TrustedHostMiddleware present

0%

100%

Trusted hosts from env var

0%

100%

Security headers middleware

0%

100%

All four security headers present

0%

100%

Correct header values

0%

100%

Middleware calls call_next

0%

100%

100%

88%

Inventory Management REST API

Criteria
Without context
With context

All 7 security components present

20%

100%

HTTPS redirect before TrustedHost

0%

100%

TrustedHost before CORS

0%

100%

CORS before security headers

0%

100%

Security headers before routes

0%

100%

CORS origins not wildcard

0%

100%

CORS and hosts from env vars

0%

100%

All four security headers set

0%

100%

Rate limit error code

0%

100%

Pydantic Field constraints on models

100%

100%

app.state.limiter set

0%

100%

100%

100%

Profile Photo Upload API

Criteria
Without context
With context

HTTPSRedirectMiddleware imported

0%

100%

HTTPS middleware added conditionally

0%

100%

Production env check

0%

100%

uvicorn request size limit set

0%

100%

Request size limit is 1MB

0%

100%

Security headers middleware present

0%

100%

TrustedHostMiddleware present

0%

100%

CORS middleware present

0%

100%

Rate limiting present

0%

100%

91%

61%

E-commerce Order API

Criteria
Without context
With context

Field import used

100%

100%

String min_length constraint

100%

100%

String max_length constraint

0%

70%

Integer range constraint

0%

100%

Pattern for enum-like field

0%

100%

field_validator used

0%

100%

classmethod decorator

0%

100%

ValueError raised on invalid input

0%

100%

No unconstrained string fields

0%

50%

No unconstrained integer fields

100%

100%

100%

100%

Task Tracker API with Login

Criteria
Without context
With context

slowapi Limiter used

0%

100%

get_remote_address key function

0%

100%

app.state.limiter assigned

0%

100%

RateLimitExceeded handler present

0%

100%

429 status code returned

0%

100%

RATE_LIMITED error code

0%

100%

Limiter decorator on routes

0%

100%

request param is first

0%

100%

Stricter limit on auth endpoint

0%

100%

Stricter limit on mutation endpoint

0%

100%

Rate limiting on POST/auth routes

0%

100%

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Community Forum APIInventory Management REST APIProfile Photo Upload APIE-commerce Order APITask Tracker API with Login