fastapi
SKILL.md
FastAPI Code Review Rules
Security (Critical)
- Input Validation: Apply strict type, length, and format checks to all user-supplied input. Sanitize inputs using trusted libraries before any rendering or database operation
- Template Variable Safety: Never render unvalidated template variables (
{{ ... }}), and always declare variable sources. Avoid HTML comments (<!-- -->) as they may expose sensitive info or facilitate injection attacks - Comment Hygiene: Never use HTML comments in production code to store data or instructions
- Use
OAuth2PasswordBeareror similar for auth - Rate limit sensitive endpoints
- Never log sensitive data (passwords, tokens)
- Implement CORS properly with
CORSMiddleware - Use CSRF protection for cookie-based auth
- Validate content types and sanitize HTML to prevent XSS
- Use security headers (HSTS, CSP, X-Frame-Options)
- Always validate user input in path operations and request bodies