CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/fastapi-security-basics

Security defaults that belong in every FastAPI application from day one.

93

7.00x
Quality

90%

Does it follow best practices?

Impact

98%

7.00x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

fastapi-security-configured.jsonverifiers/

{
  "instruction": "Add CORS, rate limiting, security headers, and trusted hosts to FastAPI",
  "relevant_when": "Agent creates or modifies a FastAPI application, adds routes to a FastAPI app, or sets up a FastAPI project",
  "context": "Every FastAPI app needs explicit middleware for CORS, security headers, rate limiting, and trusted hosts. These are baseline requirements, not optional hardening.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/fastapi-security-basics/SKILL.md",
      "tile": "tessl-labs/fastapi-security-basics@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "cors-middleware-added",
      "rule": "Agent adds CORSMiddleware with explicit allowed origins, not ['*']",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "cors-origins-from-env",
      "rule": "Agent reads CORS allowed origins from os.getenv('ALLOWED_ORIGINS') or similar environment variable",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "cors-explicit-methods",
      "rule": "Agent specifies allow_methods explicitly in CORSMiddleware (e.g., ['GET', 'POST', 'PATCH', 'DELETE']), not relying on defaults",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "security-headers-middleware",
      "rule": "Agent adds an HTTP middleware that sets X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and Referrer-Policy headers on all responses",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "trusted-host-middleware",
      "rule": "Agent adds TrustedHostMiddleware with allowed_hosts read from os.getenv('ALLOWED_HOSTS') or similar environment variable",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "rate-limiter-configured",
      "rule": "Agent installs slowapi and creates a Limiter with get_remote_address as key_func, assigns it to app.state.limiter, and adds a RateLimitExceeded exception handler returning 429",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    },
    {
      "name": "rate-limit-on-routes",
      "rule": "Agent applies @limiter.limit() decorator to API routes, with stricter limits on POST/mutation endpoints than read endpoints",
      "relevant_when": "Agent creates or modifies a FastAPI application"
    }
  ]
}

verifiers

fastapi-cors-configured.json

fastapi-input-validation.json

fastapi-rate-limiting.json

fastapi-security-configured.json

fastapi-security-headers.json

fastapi-trusted-hosts.json

tile.json