Security Best Practices

Input Validation — Never Trust the Client

# BAD: no validation
@app.post("/users")
async def create_user(data: dict):
    db.execute(f"INSERT INTO users (email) VALUES ('{data['email']}')")

# GOOD: strict schema + parameterized query
class UserCreate(BaseModel):
    email: EmailStr
    username: str = Field(min_length=3, max_length=64, pattern=r"^[a-zA-Z0-9_-]+$")

@app.post("/users")
async def create_user(data: UserCreate):
    await user_service.create(data)