Zero-config network request obfuscation middleware for FastAPI - protect your APIs from reverse engineering
Project description
rossetta-fastapi
Zero-config network request obfuscation middleware for FastAPI
Features
- 🔒 Automatic endpoint obfuscation - API endpoints are hashed and unreadable
- 🔐 Request/response encryption - AES-256-CBC encryption for all data
- ✅ Session-based key management - No hardcoded secrets in frontend
- 🛡️ Anti-replay protection - Timestamp validation prevents replay attacks
- 📝 Request signatures - HMAC-SHA256 ensures request integrity
Installation
pip install rossetta-fastapi
Quick Start
from fastapi import FastAPI
from rossetta_fastapi import RossettaMiddleware
app = FastAPI()
# Add Rossetta middleware
app.add_middleware(RossettaMiddleware)
# Define your routes normally
@app.get("/api/users")
async def get_users():
return {"users": []}
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=8000)
That's it! All API endpoints are now automatically obfuscated and encrypted.
Usage
Basic Setup
from fastapi import FastAPI
from starlette.middleware.sessions import SessionMiddleware
from rossetta_fastapi import RossettaMiddleware
app = FastAPI()
# Add session middleware (required)
app.add_middleware(
SessionMiddleware,
secret_key="your-secret-key-here"
)
# Add Rossetta middleware
app.add_middleware(
RossettaMiddleware,
secret="your-rossetta-secret", # Optional
timestamp_window=300000 # 5 minutes (default)
)
Encrypting Responses
from fastapi import Request
from rossetta_fastapi import encrypt_response
@app.get("/api/data")
async def get_data(request: Request):
data = {"message": "Hello, World!"}
session_key = request.state.rossetta['session_key']
return encrypt_response(data, session_key)
Accessing Request Data
@app.post("/api/create")
async def create_item(request: Request):
# Decrypted data is in request.state
data = request.state.decrypted_data
name = data.get('name')
result = {"id": 1, "name": name}
session_key = request.state.rossetta['session_key']
return encrypt_response(result, session_key)
Session Initialization Endpoint
@app.post("/api/init-session")
async def init_session(request: Request):
return {
"sessionKey": request.session['rossetta_key'],
"endpointSalt": request.session['endpoint_salt']
}
How It Works
- Session Initialization: Client requests session keys
- Key Generation: Server generates unique encryption keys per session
- Endpoint Obfuscation: All endpoints are hashed using SHA-256
- Request Encryption: Client encrypts requests with session key
- Server Decryption: Middleware automatically decrypts and validates
- Response Encryption: Responses are encrypted before sending
Security Features
- No Hardcoded Secrets: Keys are generated per session
- Perfect Forward Secrecy: Each session has unique keys
- Replay Attack Prevention: Timestamp-based validation
- Request Integrity: HMAC signatures prevent tampering
- Endpoint Obfuscation: API structure hidden from inspection
⚠️ Production Deployment
IMPORTANT: This package provides obfuscation and encryption at the application layer. For production use, you MUST also implement:
Required for Production:
-
HTTPS/TLS: Always use HTTPS in production
- Obfuscation is NOT a replacement for TLS
- Use valid SSL/TLS certificates
- Configure HSTS headers
-
Environment Variables: Never hardcode secrets
ROSSETTA_SECRET_KEY=your-secure-random-key-here
-
Rate Limiting: Add rate limiting middleware
from slowapi import Limiter limiter = Limiter(key_func=get_remote_address)
-
Authentication & Authorization: Add proper auth layer
- This package only handles obfuscation
- Implement JWT, OAuth, or session-based auth
-
Database Security: Use parameterized queries/ORMs
-
Input Validation: Validate all user inputs with Pydantic
-
CORS Configuration: Restrict allowed origins
Recommended Security Stack:
[Client] → HTTPS/TLS → [Rate Limiter] → [Auth Middleware] → [Rossetta Middleware] → [Your API]
Environment Variables
ROSSETTA_SECRET_KEY=your-secret-key-here # Optional
API Reference
RossettaMiddleware
Main middleware class.
Parameters:
secret(str): Secret key for encryption (auto-generated if not provided)timestamp_window(int): Request validity window in milliseconds (default: 300000)
Request State
After middleware processing:
request.state.rossetta['session_key']: Current session encryption keyrequest.state.rossetta['endpoint_salt']: Salt for endpoint obfuscationrequest.state.rossetta['obfuscate_endpoint']: Function to obfuscate endpointsrequest.state.rossetta['encrypt']: Function to encrypt datarequest.state.rossetta['decrypt']: Function to decrypt datarequest.state.decrypted_data: Decrypted request payload
Helper Functions
encrypt_response(data, session_key)
Encrypts response data.
Parameters:
data(dict): Data to encryptsession_key(str): Session encryption key
Returns: Encrypted string
Complete Example
from fastapi import FastAPI, Request
from starlette.middleware.sessions import SessionMiddleware
from rossetta_fastapi import RossettaMiddleware, encrypt_response
app = FastAPI()
# Add middlewares
app.add_middleware(SessionMiddleware, secret_key="super-secret")
app.add_middleware(RossettaMiddleware)
# Session init
@app.post("/api/init-session")
async def init_session(request: Request):
return {
"sessionKey": request.session['rossetta_key'],
"endpointSalt": request.session['endpoint_salt']
}
# Protected endpoints
@app.get("/api/todos")
async def list_todos(request: Request):
todos = [
{"id": 1, "text": "Learn Rossetta API", "completed": False}
]
return encrypt_response(todos, request.state.rossetta['session_key'])
@app.post("/api/todos")
async def create_todo(request: Request):
data = request.state.decrypted_data
todo = {
"id": 2,
"text": data['text'],
"completed": False
}
return encrypt_response(todo, request.state.rossetta['session_key'])
if __name__ == "__main__":
import uvicorn
uvicorn.run(app, host="0.0.0.0", port=8000)
License
MIT
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file rossetta_fastapi-0.1.0.tar.gz.
File metadata
- Download URL: rossetta_fastapi-0.1.0.tar.gz
- Upload date:
- Size: 6.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c3003f3a70d9ec4e042dfd3397131a33497763d397e993b4cffa432107dbb737
|
|
| MD5 |
c0b3b6483a73bfcd5e47b6b9b0bbdb7b
|
|
| BLAKE2b-256 |
077c34050f5f59fe5ff56dffdd8ed286fe059ee2b39c42326bf8cf8c57c7eaa3
|
File details
Details for the file rossetta_fastapi-0.1.0-py3-none-any.whl.
File metadata
- Download URL: rossetta_fastapi-0.1.0-py3-none-any.whl
- Upload date:
- Size: 6.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b322eb9ff684a017936ccd9b47604ba6efa2fcc30f37458824df3b6d53fab59e
|
|
| MD5 |
9f847c9b8a5744cffb34d3b0ffa5431a
|
|
| BLAKE2b-256 |
263427ce9088f89d39d99cd8560510e82010f519f15414e84b6be36c0ae0b96c
|