# How I secured my FastAPI app - 6 vulnerabilities fixed in one session with gstack /cso > Source: > Published: 2026-05-27 05:42:20+00:00 I've been building ratecalc.fyi — a free sponsorship rate calculator for UGC creators — for 16 days. On day 13, I ran a security audit using gstack's /cso skill on Claude Code. It found 6 issues. I fixed all of them in one session. Here's exactly what was wrong and how I fixed it. What is gstack /cso? gstack is an open-source skill pack for Claude Code built by Garry Tan (YC CEO). The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase. You run it with one command: Load gstack. Run /cso The 6 vulnerabilities - 🔴 CRITICAL — Admin password in git history My admin password was hardcoded 6 commits ago. Anyone with repo access could extract it from git history. Fix: Rotated the password, moved to env variable, scrubbed git history with git filter-repo, force-pushed. python# Before _ADMIN_PASS = b"hardcoded_password_here" # After _ADMIN_PASS = os.getenv("ADMIN_PASS", "changeme").encode() - 🔴 HIGH — User emails committed to git My SQLite database file (notify.db) containing user emails was committed to the repo. Fix: git rm --cached notify.db, scrubbed from all history, added to .gitignore. - 🔴 HIGH — Webhook auth bypass The LemonSqueezy webhook skipped signature verification if LEMONSQUEEZY_WEBHOOK_SECRET wasn't set — meaning anyone could POST fake payment events and get free Pro access. Fix: App now raises on startup if the secret is missing. Fail closed, not fail open. - 🔴 HIGH — Admin fallback password Admin panel fell back to "changeme" if ADMIN_PASS env var wasn't set. Fix: Same pattern — startup raises if env var missing. - 🟡 MEDIUM — Rate limit bypass The calculator rate limit read IP from X-Forwarded-For header, which any client can spoof. Fix: Changed to request.client.host — not spoofable at transport layer. - 🟡 MEDIUM — Missing security headers CSP and HSTS headers were absent. Fix: Added Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy via FastAPI middleware. What I learned Running a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours — but any one of them could have caused real damage with real users. The gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app (or any web app), run it now. The repo: ratecalc.fyi is live. Free calculator, no signup required.