{"slug": "how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack", "title": "How I secured my FastAPI app - 6 vulnerabilities fixed in one session with gstack /cso", "summary": "A developer secured their FastAPI application ratecalc.fyi by fixing six vulnerabilities in a single session using the gstack /cso security audit tool on Claude Code. The critical issues included an admin password exposed in git history, user emails committed to the repository, a webhook authentication bypass, and an admin fallback password, along with medium-severity rate limit bypass and missing security headers. All vulnerabilities were resolved within two hours before the application's first paying users.", "body_md": "I've been building ratecalc.fyi — a free sponsorship rate calculator for UGC creators — for 16 days. On day 13, I ran a security audit using gstack's /cso skill on Claude Code.\n\nIt found 6 issues. I fixed all of them in one session.\n\nHere's exactly what was wrong and how I fixed it.\n\nWhat is gstack /cso?\n\ngstack is an open-source skill pack for Claude Code built by Garry Tan (YC CEO). The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase.\n\nYou run it with one command:\n\nLoad gstack. Run /cso\n\nThe 6 vulnerabilities\n\n- 🔴 CRITICAL — Admin password in git history\nMy admin password was hardcoded 6 commits ago. Anyone with repo access could extract it from git history.\nFix: Rotated the password, moved to env variable, scrubbed git history with git filter-repo, force-pushed.\npython# Before\n_ADMIN_PASS = b\"hardcoded_password_here\"\n\n#\nAfter\n\n_ADMIN_PASS = os.getenv(\"ADMIN_PASS\", \"changeme\").encode()\n\n- 🔴 HIGH — User emails committed to git\nMy SQLite database file (notify.db) containing user emails was committed to the repo.\nFix: git rm --cached notify.db, scrubbed from all history, added to .gitignore.\n- 🔴 HIGH — Webhook auth bypass\nThe LemonSqueezy webhook skipped signature verification if LEMONSQUEEZY_WEBHOOK_SECRET wasn't set — meaning anyone could POST fake payment events and get free Pro access.\nFix: App now raises on startup if the secret is missing. Fail closed, not fail open.\n- 🔴 HIGH — Admin fallback password\nAdmin panel fell back to \"changeme\" if ADMIN_PASS env var wasn't set.\nFix: Same pattern — startup raises if env var missing.\n- 🟡 MEDIUM — Rate limit bypass\nThe calculator rate limit read IP from X-Forwarded-For header, which any client can spoof.\nFix: Changed to request.client.host — not spoofable at transport layer.\n- 🟡 MEDIUM — Missing security headers\nCSP and HSTS headers were absent.\nFix: Added Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy via FastAPI middleware.\n\nWhat I learned\n\nRunning a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours — but any one of them could have caused real damage with real users.\n\nThe gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app (or any web app), run it now.\n\nThe repo: ratecalc.fyi is live. Free calculator, no signup required.", "url": "https://wpnews.pro/news/how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack", "canonical_source": "https://dev.to/ratecalc/how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack-cso-2i4", "published_at": "2026-05-27 05:42:20+00:00", "updated_at": "2026-05-27 05:52:31.558082+00:00", "lang": "en", "topics": ["ai-tools", "ai-products"], "entities": ["gstack", "Claude Code", "Garry Tan", "OWASP", "LemonSqueezy", "FastAPI", "ratecalc.fyi"], "alternates": {"html": "https://wpnews.pro/news/how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack", "markdown": "https://wpnews.pro/news/how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack.md", "text": "https://wpnews.pro/news/how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack.txt", "jsonld": "https://wpnews.pro/news/how-i-secured-my-fastapi-app-6-vulnerabilities-fixed-in-one-session-with-gstack.jsonld"}}