fastapi

FastAPI Code Review Rules

Security (Critical)

• Validate and sanitize all inputs to prevent injection attacks
• Use OAuth2PasswordBearer or similar for auth
• Rate limit sensitive endpoints
• Never log sensitive data (passwords, tokens)
• Implement CORS properly with CORSMiddleware
• Use CSRF protection for cookie-based auth
• Validate content types and sanitize HTML to prevent XSS
• Use security headers (HSTS, CSP, X-Frame-Options)
• Always validate user input in path operations and request bodies
• Never use HTML comments (<!-- -->) in production code