andredias / cookiecutter-fastapi Goto Github PK

There is a discussion about it here and here

Instead of returning all available records at once, functions such as get_all must receive additional parameters like limit and offset to control how many records to return.

Removing administrators from an application simplifies REST API validation a lot since there is no special access or right to execute some actions.

Privileged access for executing some action or for retrieving some information must be done directly through the database or through another application specially designed for that.

Use the CI from Codebox as reference.

Currently, the CSRF token is being transmitted to the frontend via a cookie after a successful login. Although it is not really a security issue since the CSRF token must be sent back later using a custom header x-csrf-token, the same token is also sent along inside a cookie.

It is possible to prevent this if the original CSRF token is sent via a custom header instead because it won't be sent again later automatically.

Secure.py s a lightweight package that adds optional security headers for Python web frameworks.

Also, take a look at OWASP Secure Headers Project

• ThrottledAPI

Slow API looks interesting for this and works with FastAPI.

Obtaining a valid session isn't related to CSRF validation. The latter might be necessary for user authentication though.

Instead of trying to handle uncaught exceptions locally, a better approach is to create middleware or something else to handle exceptions globally.

Loguru's way to exceptions might also be useful.

Setting a user as admin should not be done directly via the user's REST API because that requires a different level of authorization that isn't checked or implemented yet.

KSUID is a K sorted UID. In other words, a KSUID also stores a date component, so that ksuids can be approximately sorted based on the time they were created.

Create a password reset procedure. See OWASP Forgot Password Cheat Sheet