How to set up rate limiting with FastAPI Guard?

Use the rate_limit parameter in SecurityConfig for global limits or the @guard_deco.rate_limit decorator for route-specific controls. Enable Redis for distributed state to handle multi-instance deployments effectively.

FastAPI Guard vs FastAPI's built-in security: which should I use?

FastAPI Guard offers advanced features like IP filtering and geolocation blocking, while FastAPI's built-in tools focus on basics like CORS. Choose Guard for comprehensive protection, but it adds more configuration complexity.

Does FastAPI Guard block cloud provider IPs?

Yes, configure the block_cloud_providers option in SecurityConfig with values like 'AWS', 'GCP', or 'Azure' to block requests from major cloud IP ranges, helping prevent abuse from scalable infrastructure.

How to customize security headers in FastAPI Guard?

Set the security_headers dictionary in SecurityConfig with CSP, HSTS, and other headers following OWASP guidelines, as detailed in the HTTP Security Headers section with examples for common policies.

What's the performance impact of FastAPI Guard?

It adds middleware overhead per request; impact varies with enabled features. Use Redis for distributed state to reduce latency in multi-instance setups, but benchmark with your API's traffic patterns.

Can I use FastAPI Guard without an IPInfo token?

Yes, but geolocation features like country blocking will be disabled. You can implement a custom GeoIPHandler or skip geolocation entirely, though this limits some security capabilities.

How to handle suspicious activity detection?

Enable penetration detection in SecurityConfig with auto_ban_threshold for automatic IP banning, or use the detect_penetration_attempt function for custom logging and response handling on specific routes.

FastAPI Guard — FastAPI Security Middleware

What is FastAPI Guard?

FastAPI Guard is a security middleware library for FastAPI applications that provides comprehensive protection against common web threats. It integrates seamlessly to defend against unauthorized access, abuse, and attacks through features like IP access control, rate limiting, penetration detection, and security headers. The library is designed to secure production APIs with minimal setup while offering flexibility for advanced configurations.

Target Audience

FastAPI developers building production APIs that require robust security measures against threats like DDoS, unauthorized access, and data breaches. It is particularly suited for teams needing configurable, middleware-based security without extensive custom implementation.

Value Proposition

Developers choose FastAPI Guard for its all-in-one security solution tailored specifically for FastAPI, combining multiple protections (e.g., IP filtering, rate limiting, geolocation blocking) into a single middleware. Its unique selling point is the seamless integration with FastAPI's ecosystem, route-level decorators for fine-grained control, and optional Redis support for distributed state management across instances.

FastAPI Guard: A security library for FastAPI that provides middleware to control IPs, log requests, and detect penetration attempts. It integrates seamlessly with FastAPI to offer robust protection against various security threats.

Use Cases

Best For

Securing FastAPI applications with IP whitelisting and blacklisting to control access based on specific addresses or ranges.
Implementing rate limiting per IP to prevent abuse and DDoS attacks in production APIs.
Blocking requests from specific countries or cloud providers (e.g., AWS, GCP, Azure) using IP geolocation features.
Applying HTTP security headers like CSP, HSTS, and X-Frame-Options to enhance API security following OWASP best practices.
Detecting and logging penetration attempts with configurable thresholds for automatic IP banning.
Using route-level decorators for fine-grained security controls on individual API endpoints, such as requiring HTTPS or specific authentication.

Not Ideal For

Projects using web frameworks other than FastAPI (e.g., Flask, Django), as it's tightly coupled to FastAPI's middleware system.
Teams with existing API gateways or CDNs (like Cloudflare) that already handle IP filtering and rate limiting, adding redundancy.
Applications needing dynamic, real-time updates to security rules without restarts, since configuration is static at startup.
Simple APIs where basic FastAPI security features suffice, avoiding the overhead of numerous configuration options.

Pros & Cons

Pros

Comprehensive Security Features

Bundles IP access control, rate limiting, penetration detection, and security headers into one middleware, as shown in the Features section with examples like whitelisting and CSP configuration.

Seamless FastAPI Integration

Designed specifically for FastAPI with middleware and route-level decorators, enabling fine-grained endpoint control like @guard_deco.rate_limit for individual routes.

Advanced Distributed Support

Optional Redis integration allows shared state across instances for rate limiting and IP banning, crucial for scalable production deployments as detailed in the Redis Configuration section.

Extensive Documentation and Tooling

Offers a website, live playground, Discord community, and monitoring agent integration, making implementation and troubleshooting accessible for developers.

Cons

Geolocation Service Dependency

Requires an IPInfo token with a free tier limit of 50,000 requests per month for country blocking, which can be restrictive for high-traffic APIs and adds external reliance.

Configuration Complexity

SecurityConfig has over 20 attributes, making setup daunting and error-prone, as evidenced by lengthy code examples in the Usage section.

Potential Breaking Changes

Deprecated options like ipinfo_token indicate an evolving API that may require updates in future versions, introducing maintenance overhead.

Performance Overhead Concerns

Multiple security checks per request, especially with penetration detection and Redis, can impact response times, though this trade-off is acknowledged for enhanced protection.

Frequently Asked Questions

What is FastAPI Guard?

Target Audience

Value Proposition

Use Cases

Best For

Securing FastAPI applications with IP whitelisting and blacklisting to control access based on specific addresses or ranges.
Implementing rate limiting per IP to prevent abuse and DDoS attacks in production APIs.
Blocking requests from specific countries or cloud providers (e.g., AWS, GCP, Azure) using IP geolocation features.
Applying HTTP security headers like CSP, HSTS, and X-Frame-Options to enhance API security following OWASP best practices.
Detecting and logging penetration attempts with configurable thresholds for automatic IP banning.
Using route-level decorators for fine-grained security controls on individual API endpoints, such as requiring HTTPS or specific authentication.

Not Ideal For

Projects using web frameworks other than FastAPI (e.g., Flask, Django), as it's tightly coupled to FastAPI's middleware system.
Teams with existing API gateways or CDNs (like Cloudflare) that already handle IP filtering and rate limiting, adding redundancy.
Applications needing dynamic, real-time updates to security rules without restarts, since configuration is static at startup.
Simple APIs where basic FastAPI security features suffice, avoiding the overhead of numerous configuration options.

Pros & Cons

Pros

Comprehensive Security Features

Bundles IP access control, rate limiting, penetration detection, and security headers into one middleware, as shown in the Features section with examples like whitelisting and CSP configuration.

Seamless FastAPI Integration

Designed specifically for FastAPI with middleware and route-level decorators, enabling fine-grained endpoint control like @guard_deco.rate_limit for individual routes.

Advanced Distributed Support

Optional Redis integration allows shared state across instances for rate limiting and IP banning, crucial for scalable production deployments as detailed in the Redis Configuration section.

Extensive Documentation and Tooling

Offers a website, live playground, Discord community, and monitoring agent integration, making implementation and troubleshooting accessible for developers.

Cons

Geolocation Service Dependency

Requires an IPInfo token with a free tier limit of 50,000 requests per month for country blocking, which can be restrictive for high-traffic APIs and adds external reliance.

Configuration Complexity

SecurityConfig has over 20 attributes, making setup daunting and error-prone, as evidenced by lengthy code examples in the Usage section.

Potential Breaking Changes

Deprecated options like ipinfo_token indicate an evolving API that may require updates in future versions, introducing maintenance overhead.

Performance Overhead Concerns

Multiple security checks per request, especially with penetration detection and Redis, can impact response times, though this trade-off is acknowledged for enhanced protection.

Frequently Asked Questions

FastAPI Guard

What is FastAPI Guard?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Found a gem we're missing?

FastAPI Guard

What is FastAPI Guard?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Found a gem we're missing?