cd /news/ai-tools/how-i-secured-my-fastapi-app-6-vulne… · home topics ai-tools article
[ARTICLE · art-14972] src=dev.to ↗ pub= topic=ai-tools verified=true sentiment=↑ positive

How I secured my FastAPI app - 6 vulnerabilities fixed in one session with gstack /cso

A developer secured their FastAPI application ratecalc.fyi by fixing six vulnerabilities in a single session using the gstack /cso security audit tool on Claude Code. The critical issues included an admin password exposed in git history, user emails committed to the repository, a webhook authentication bypass, and an admin fallback password, along with medium-severity rate limit bypass and missing security headers. All vulnerabilities were resolved within two hours before the application's first paying users.

read2 min views12 publishedMay 27, 2026

I've been building ratecalc.fyi — a free sponsorship rate calculator for UGC creators — for 16 days. On day 13, I ran a security audit using gstack's /cso skill on Claude Code.

It found 6 issues. I fixed all of them in one session.

Here's exactly what was wrong and how I fixed it.

What is gstack /cso?

gstack is an open-source skill pack for Claude Code built by Garry Tan (YC CEO). The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase.

You run it with one command:

Load gstack. Run /cso

The 6 vulnerabilities

  • 🔴 CRITICAL — Admin password in git history My admin password was hardcoded 6 commits ago. Anyone with repo access could extract it from git history. Fix: Rotated the password, moved to env variable, scrubbed git history with git filter-repo, force-pushed. python# Before _ADMIN_PASS = b"hardcoded_password_here"

#

After

_ADMIN_PASS = os.getenv("ADMIN_PASS", "changeme").encode()

  • 🔴 HIGH — User emails committed to git My SQLite database file (notify.db) containing user emails was committed to the repo. Fix: git rm --cached notify.db, scrubbed from all history, added to .gitignore.
  • 🔴 HIGH — Webhook auth bypass The LemonSqueezy webhook skipped signature verification if LEMONSQUEEZY_WEBHOOK_SECRET wasn't set — meaning anyone could POST fake payment events and get free Pro access. Fix: App now raises on startup if the secret is missing. Fail closed, not fail open.
  • 🔴 HIGH — Admin fallback password Admin panel fell back to "changeme" if ADMIN_PASS env var wasn't set. Fix: Same pattern — startup raises if env var missing.
  • 🟡 MEDIUM — Rate limit bypass The calculator rate limit read IP from X-Forwarded-For header, which any client can spoof. Fix: Changed to request.client.host — not spoofable at transport layer.
  • 🟡 MEDIUM — Missing security headers CSP and HSTS headers were absent.

Fix: Added Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy via FastAPI middleware. What I learned

Running a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours — but any one of them could have caused real damage with real users.

The gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app (or any web app), run it now.

The repo: ratecalc.fyi is live. Free calculator, no signup required.

── more in #ai-tools 4 stories · sorted by recency
── more on @gstack 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/how-i-secured-my-fas…] indexed:0 read:2min 2026-05-27 ·