Skip to main content

Production-ready security middleware for FastAPI — IP filtering, rate limiting, penetration detection, and 20+ per-route security decorators.

Project description

FastAPI Guard

PyPI version License: MIT CI Release CodeQL Downloads

Website · Docs · Playground · Dashboard · Discord

Production-ready security middleware for FastAPI.
IP filtering, rate limiting, signature-based attack-pattern detection, and 20+ per-route security decorators.


Quick Start

uv add fastapi-guard        # uv (recommended)
pip install fastapi-guard    # pip
poetry add fastapi-guard     # poetry

Example

from fastapi import FastAPI
from guard import SecurityMiddleware, SecurityConfig

app = FastAPI()

config = SecurityConfig(
    enable_rate_limiting=True,
    rate_limit=30,
    rate_limit_window=60,
    enable_ip_banning=True,
    auto_ban_threshold=5,
    auto_ban_duration=86400,
    custom_log_file="security.log",
    rate_limit=100,
    enforce_https=True,
    enable_cors=True,
    cors_allow_origins=["*"],
    cors_allow_methods=["GET", "POST"],
    cors_allow_headers=["*"],
    cors_allow_credentials=True,
    cors_expose_headers=["X-Custom-Header"],
    cors_max_age=600,
    block_cloud_providers={"AWS", "GCP", "Azure"},
)

app.add_middleware(SecurityMiddleware, config=config)

For production, wire guard.lifespan.guard_lifespan into FastAPI(lifespan=...) so initialization runs at app startup instead of on the first request — see Eager initialization.


Per-Route Security Decorators

Apply security rules at the endpoint level with composable decorators:

from guard import SecurityConfig, SecurityDecorator

config = SecurityConfig()
guard = SecurityDecorator(config)

@app.get("/api/payments")
@guard.require_auth(type="bearer")
@guard.rate_limit(requests=10, window=60)
@guard.block_countries(["CN", "RU"])
@guard.require_https()
async def process_payment():
    return {"status": "ok"}

Available decorator categories:

  • Access --- require_ip, block_countries, allow_countries, block_clouds, bypass
  • Auth --- require_https, require_auth, api_key_auth, require_headers
  • Rate Limiting --- rate_limit, geo_rate_limit
  • Content --- block_user_agents, content_type_filter, max_request_size, require_referrer, custom_validation
  • Behavioral --- usage_monitor, return_monitor, suspicious_frequency, behavior_analysis
  • Advanced --- time_window, honeypot_detection, suspicious_detection

Full decorator reference


Cloud Dashboard

FastAPI Guard has a centralized cloud platform for real-time monitoring and threat analysis across all your applications.

  • Dashboard --- real-time security events, threat intelligence, attack pattern analytics
  • Playground --- try every security feature in-browser with real attack data from a live server
  • Dynamic Rules --- update security configuration from the dashboard without redeploying
  • GDPR Tools --- consent management, data export, account deletion

Connect your existing setup in 2 minutes:

uv add guard-agent    # or: pip install guard-agent
from collections.abc import AsyncGenerator
from contextlib import asynccontextmanager

from fastapi import FastAPI
from guard import SecurityConfig, SecurityMiddleware
from guard_agent import AgentConfig, guard_agent

security_config = SecurityConfig(
    enable_agent=True,
    agent_api_key="your-api-key",
    agent_endpoint="https://api.guard-core.com/api/v1",
    agent_project_id="your-project-id",
    agent_buffer_size=5000,
    agent_flush_interval=2,
    agent_enable_events=True,
    agent_enable_metrics=True,
    enable_dynamic_rules=True,
    dynamic_rule_interval=60,
)

agent_config = AgentConfig(
    api_key="your-api-key",
    endpoint="https://api.guard-core.com/api/v1",
    project_id="your-project-id",
    buffer_size=5000,
    flush_interval=2,
)

agent = guard_agent(agent_config)


@asynccontextmanager
async def lifespan(_app: FastAPI) -> AsyncGenerator[None]:
    await agent.start()
    yield
    await agent.stop()


app = FastAPI(lifespan=lifespan)
app.add_middleware(SecurityMiddleware, config=security_config)

Free tier includes 10,000 events/month --- no credit card required.

The core library is fully self-contained and MIT licensed. The cloud dashboard is optional.

Monitoring agent buffer health

When enable_agent=True, the middleware exposes an agent_stats property that returns the current buffer drop counters and transport circuit-breaker state without needing to reach into the agent directly:

middleware: SecurityMiddleware = ...

stats = middleware.agent_stats
# {"enabled": True, "buffer_stats": {"events_dropped": 0, "metrics_dropped": 0, ...},
#  "transport_stats": {"circuit_breaker_state": "CLOSED", ...}, ...}

When the agent is disabled or failed to initialize, the property returns {"enabled": False}. Read it on each scrape — it reflects live counters and is not cached.


Ecosystem

FastAPI Guard is built on guard-core, a framework-agnostic security engine. The same protection is available across Python, TypeScript, and Rust.

Python

Package Role PyPI
guard-core Framework-agnostic security engine PyPI
guard-agent Telemetry agent PyPI
fastapi-guard FastAPI / Starlette adapter (this package) PyPI
flaskapi-guard Flask adapter PyPI
djapi-guard Django adapter PyPI
tornadoapi-guard Tornado adapter PyPI

TypeScript / JavaScript

Published under the @guardcore npm scope. Source in the guard-core-ts monorepo. Production-ready.

Package Role npm
@guardcore/core Core engine npm
@guardcore/express Express adapter npm
@guardcore/nestjs NestJS adapter npm
@guardcore/fastify Fastify adapter npm
@guardcore/hono Hono adapter npm

Rust

Published on crates.io. 🚧 Placeholder crates — implementation in progress.

Package Role crates.io
guard-core Core engine crates.io
actix-guard-rs Actix adapter crates.io
axum-guard-rs Axum adapter crates.io
rocket-guard-rs Rocket adapter crates.io
tower-guard-rs Tower adapter crates.io

Documentation


Contributing

Contributions are welcome. See CONTRIBUTING.md for guidelines.

New security features (checks, detection patterns, handlers) should be contributed to guard-core. This repo covers the FastAPI/Starlette adapter layer.


License

This project is licensed under the MIT License. See the LICENSE file for details.


Author

Renzo Franceschini

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fastapi_guard-7.1.1.tar.gz (19.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

fastapi_guard-7.1.1-py3-none-any.whl (13.8 kB view details)

Uploaded Python 3

File details

Details for the file fastapi_guard-7.1.1.tar.gz.

File metadata

  • Download URL: fastapi_guard-7.1.1.tar.gz
  • Upload date:
  • Size: 19.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.20

File hashes

Hashes for fastapi_guard-7.1.1.tar.gz
Algorithm Hash digest
SHA256 3674269a65c644d50af8ee9f5f8db2ca2ce57ebe20812d1a2530f0fda7663693
MD5 b4371384a4d8ec99d3f047ac7b387735
BLAKE2b-256 dd7997ec46bde9fe47e511593857094d73c1b8c04cf8a2006131689795cdeda6

See more details on using hashes here.

File details

Details for the file fastapi_guard-7.1.1-py3-none-any.whl.

File metadata

  • Download URL: fastapi_guard-7.1.1-py3-none-any.whl
  • Upload date:
  • Size: 13.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.10.20

File hashes

Hashes for fastapi_guard-7.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 0069c281ab7512a23ab671617bddf498a68f44ee57a040b171199c076fd0b67a
MD5 ecb6a9a524c926ddbf7f770045b4d939
BLAKE2b-256 450df551a50c0fb1f3b0644ea3d99d630608257ed3282762a93f6cf377b0dd82

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page