cd /news/ai-tools/how-i-secured-my-fastapi-app-6-vulne… Β· home β€Ί topics β€Ί ai-tools β€Ί article
[ARTICLE Β· art-14972] src=dev.to pub= topic=ai-tools verified=true sentiment=↑ positive

How I secured my FastAPI app - 6 vulnerabilities fixed in one session with gstack /cso

A developer secured their FastAPI application ratecalc.fyi by fixing six vulnerabilities in a single session using the gstack /cso security audit tool on Claude Code. The critical issues included an admin password exposed in git history, user emails committed to the repository, a webhook authentication bypass, and an admin fallback password, along with medium-severity rate limit bypass and missing security headers. All vulnerabilities were resolved within two hours before the application's first paying users.

read2 min publishedMay 27, 2026

I've been building ratecalc.fyi β€” a free sponsorship rate calculator for UGC creators β€” for 16 days. On day 13, I ran a security audit using gstack's /cso skill on Claude Code.

It found 6 issues. I fixed all of them in one session.

Here's exactly what was wrong and how I fixed it.

What is gstack /cso?

gstack is an open-source skill pack for Claude Code built by Garry Tan (YC CEO). The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase.

You run it with one command:

Load gstack. Run /cso

The 6 vulnerabilities

  • πŸ”΄ CRITICAL β€” Admin password in git history My admin password was hardcoded 6 commits ago. Anyone with repo access could extract it from git history. Fix: Rotated the password, moved to env variable, scrubbed git history with git filter-repo, force-pushed. python# Before _ADMIN_PASS = b"hardcoded_password_here"

#

After

_ADMIN_PASS = os.getenv("ADMIN_PASS", "changeme").encode()

  • πŸ”΄ HIGH β€” User emails committed to git My SQLite database file (notify.db) containing user emails was committed to the repo. Fix: git rm --cached notify.db, scrubbed from all history, added to .gitignore.
  • πŸ”΄ HIGH β€” Webhook auth bypass The LemonSqueezy webhook skipped signature verification if LEMONSQUEEZY_WEBHOOK_SECRET wasn't set β€” meaning anyone could POST fake payment events and get free Pro access. Fix: App now raises on startup if the secret is missing. Fail closed, not fail open.
  • πŸ”΄ HIGH β€” Admin fallback password Admin panel fell back to "changeme" if ADMIN_PASS env var wasn't set. Fix: Same pattern β€” startup raises if env var missing.
  • 🟑 MEDIUM β€” Rate limit bypass The calculator rate limit read IP from X-Forwarded-For header, which any client can spoof. Fix: Changed to request.client.host β€” not spoofable at transport layer.
  • 🟑 MEDIUM β€” Missing security headers CSP and HSTS headers were absent.

Fix: Added Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy via FastAPI middleware. What I learned

Running a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours β€” but any one of them could have caused real damage with real users.

The gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app (or any web app), run it now.

The repo: ratecalc.fyi is live. Free calculator, no signup required.

source & further reading
dev.to β€” original article The bf16 grad accumulator that killed our SDXL LoRA training Build a Private AI Search on Your Device: Local RAG in the Browser Mouse Unlock!β€”no password, just a secret click pattern
── more in #ai-tools 4 stories Β· sorted by recency
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain β€” perfect for shipping the agent you just read about.

$git push zahid main
β†’ Live at https://your-agent.zahid.host βœ“
Get free account β†’ Pricing
from €0/mo Β· no card required
LIVE [news/how-i-secured-my-fas…] indexed:0 read:2min 2026-05-27 Β· β€”