Skip to main content

Zero-config network request obfuscation middleware for FastAPI - protect your APIs from reverse engineering

Project description

rossetta-fastapi

Zero-config network request obfuscation middleware for FastAPI

Features

  • 🔒 Automatic endpoint obfuscation - API endpoints are hashed and unreadable
  • 🔐 Request/response encryption - AES-256-CBC encryption for all data
  • Session-based key management - No hardcoded secrets in frontend
  • 🛡️ Anti-replay protection - Timestamp validation prevents replay attacks
  • 📝 Request signatures - HMAC-SHA256 ensures request integrity

Installation

pip install rossetta-fastapi

Quick Start

from fastapi import FastAPI
from rossetta_fastapi import RossettaMiddleware

app = FastAPI()

# Add Rossetta middleware
app.add_middleware(RossettaMiddleware)

# Define your routes normally
@app.get("/api/users")
async def get_users():
    return {"users": []}

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8000)

That's it! All API endpoints are now automatically obfuscated and encrypted.

Usage

Basic Setup

from fastapi import FastAPI
from starlette.middleware.sessions import SessionMiddleware
from rossetta_fastapi import RossettaMiddleware

app = FastAPI()

# Add session middleware (required)
app.add_middleware(
    SessionMiddleware,
    secret_key="your-secret-key-here"
)

# Add Rossetta middleware
app.add_middleware(
    RossettaMiddleware,
    secret="your-rossetta-secret",  # Optional
    timestamp_window=300000  # 5 minutes (default)
)

Encrypting Responses

from fastapi import Request
from rossetta_fastapi import encrypt_response

@app.get("/api/data")
async def get_data(request: Request):
    data = {"message": "Hello, World!"}
    session_key = request.state.rossetta['session_key']
    return encrypt_response(data, session_key)

Accessing Request Data

@app.post("/api/create")
async def create_item(request: Request):
    # Decrypted data is in request.state
    data = request.state.decrypted_data
    name = data.get('name')
    
    result = {"id": 1, "name": name}
    session_key = request.state.rossetta['session_key']
    return encrypt_response(result, session_key)

Session Initialization Endpoint

@app.post("/api/init-session")
async def init_session(request: Request):
    return {
        "sessionKey": request.session['rossetta_key'],
        "endpointSalt": request.session['endpoint_salt']
    }

How It Works

  1. Session Initialization: Client requests session keys
  2. Key Generation: Server generates unique encryption keys per session
  3. Endpoint Obfuscation: All endpoints are hashed using SHA-256
  4. Request Encryption: Client encrypts requests with session key
  5. Server Decryption: Middleware automatically decrypts and validates
  6. Response Encryption: Responses are encrypted before sending

Security Features

  • No Hardcoded Secrets: Keys are generated per session
  • Perfect Forward Secrecy: Each session has unique keys
  • Replay Attack Prevention: Timestamp-based validation
  • Request Integrity: HMAC signatures prevent tampering
  • Endpoint Obfuscation: API structure hidden from inspection

⚠️ Production Deployment

IMPORTANT: This package provides obfuscation and encryption at the application layer. For production use, you MUST also implement:

Required for Production:

  1. HTTPS/TLS: Always use HTTPS in production

    • Obfuscation is NOT a replacement for TLS
    • Use valid SSL/TLS certificates
    • Configure HSTS headers
  2. Environment Variables: Never hardcode secrets

    ROSSETTA_SECRET_KEY=your-secure-random-key-here
    
  3. Rate Limiting: Add rate limiting middleware

    from slowapi import Limiter
    limiter = Limiter(key_func=get_remote_address)
    
  4. Authentication & Authorization: Add proper auth layer

    • This package only handles obfuscation
    • Implement JWT, OAuth, or session-based auth
  5. Database Security: Use parameterized queries/ORMs

  6. Input Validation: Validate all user inputs with Pydantic

  7. CORS Configuration: Restrict allowed origins

Recommended Security Stack:

[Client] → HTTPS/TLS → [Rate Limiter] → [Auth Middleware] → [Rossetta Middleware] → [Your API]

Environment Variables

ROSSETTA_SECRET_KEY=your-secret-key-here  # Optional

API Reference

RossettaMiddleware

Main middleware class.

Parameters:

  • secret (str): Secret key for encryption (auto-generated if not provided)
  • timestamp_window (int): Request validity window in milliseconds (default: 300000)

Request State

After middleware processing:

  • request.state.rossetta['session_key']: Current session encryption key
  • request.state.rossetta['endpoint_salt']: Salt for endpoint obfuscation
  • request.state.rossetta['obfuscate_endpoint']: Function to obfuscate endpoints
  • request.state.rossetta['encrypt']: Function to encrypt data
  • request.state.rossetta['decrypt']: Function to decrypt data
  • request.state.decrypted_data: Decrypted request payload

Helper Functions

encrypt_response(data, session_key)

Encrypts response data.

Parameters:

  • data (dict): Data to encrypt
  • session_key (str): Session encryption key

Returns: Encrypted string

Complete Example

from fastapi import FastAPI, Request
from starlette.middleware.sessions import SessionMiddleware
from rossetta_fastapi import RossettaMiddleware, encrypt_response

app = FastAPI()

# Add middlewares
app.add_middleware(SessionMiddleware, secret_key="super-secret")
app.add_middleware(RossettaMiddleware)

# Session init
@app.post("/api/init-session")
async def init_session(request: Request):
    return {
        "sessionKey": request.session['rossetta_key'],
        "endpointSalt": request.session['endpoint_salt']
    }

# Protected endpoints
@app.get("/api/todos")
async def list_todos(request: Request):
    todos = [
        {"id": 1, "text": "Learn Rossetta API", "completed": False}
    ]
    return encrypt_response(todos, request.state.rossetta['session_key'])

@app.post("/api/todos")
async def create_todo(request: Request):
    data = request.state.decrypted_data
    todo = {
        "id": 2,
        "text": data['text'],
        "completed": False
    }
    return encrypt_response(todo, request.state.rossetta['session_key'])

if __name__ == "__main__":
    import uvicorn
    uvicorn.run(app, host="0.0.0.0", port=8000)

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rossetta_fastapi-0.1.0.tar.gz (6.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rossetta_fastapi-0.1.0-py3-none-any.whl (6.9 kB view details)

Uploaded Python 3

File details

Details for the file rossetta_fastapi-0.1.0.tar.gz.

File metadata

  • Download URL: rossetta_fastapi-0.1.0.tar.gz
  • Upload date:
  • Size: 6.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for rossetta_fastapi-0.1.0.tar.gz
Algorithm Hash digest
SHA256 c3003f3a70d9ec4e042dfd3397131a33497763d397e993b4cffa432107dbb737
MD5 c0b3b6483a73bfcd5e47b6b9b0bbdb7b
BLAKE2b-256 077c34050f5f59fe5ff56dffdd8ed286fe059ee2b39c42326bf8cf8c57c7eaa3

See more details on using hashes here.

File details

Details for the file rossetta_fastapi-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for rossetta_fastapi-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b322eb9ff684a017936ccd9b47604ba6efa2fcc30f37458824df3b6d53fab59e
MD5 9f847c9b8a5744cffb34d3b0ffa5431a
BLAKE2b-256 263427ce9088f89d39d99cd8560510e82010f519f15414e84b6be36c0ae0b96c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page