How I secured my FastAPI app - 6 vulnerabilities fixed in one session with gstack /cso

A developer secured their FastAPI application ratecalc.fyi by fixing six vulnerabilities in a single session using the gstack /cso security audit tool on Claude Code. The critical issues included an admin password exposed in git history, user emails committed to the repository, a webhook authentication bypass, and an admin fallback password, along with medium-severity rate limit bypass and missing security headers. All vulnerabilities were resolved within two hours before the application's first paying users.

I've been building ratecalc.fyi — a free sponsorship rate calculator for UGC creators — for 16 days. On day 13, I ran a security audit using gstack's /cso skill on Claude Code. It found 6 issues. I fixed all of them in one session. Here's exactly what was wrong and how I fixed it. What is gstack /cso? gstack is an open-source skill pack for Claude Code built by Garry Tan YC CEO . The /cso skill runs an OWASP Top 10 + STRIDE threat model audit on your codebase. You run it with one command: Load gstack. Run /cso The 6 vulnerabilities - 🔴 CRITICAL — Admin password in git history My admin password was hardcoded 6 commits ago. Anyone with repo access could extract it from git history. Fix: Rotated the password, moved to env variable, scrubbed git history with git filter-repo, force-pushed. python Before ADMIN PASS = b"hardcoded password here" After ADMIN PASS = os.getenv "ADMIN PASS", "changeme" .encode - 🔴 HIGH — User emails committed to git My SQLite database file notify.db containing user emails was committed to the repo. Fix: git rm --cached notify.db, scrubbed from all history, added to .gitignore. - 🔴 HIGH — Webhook auth bypass The LemonSqueezy webhook skipped signature verification if LEMONSQUEEZY WEBHOOK SECRET wasn't set — meaning anyone could POST fake payment events and get free Pro access. Fix: App now raises on startup if the secret is missing. Fail closed, not fail open. - 🔴 HIGH — Admin fallback password Admin panel fell back to "changeme" if ADMIN PASS env var wasn't set. Fix: Same pattern — startup raises if env var missing. - 🟡 MEDIUM — Rate limit bypass The calculator rate limit read IP from X-Forwarded-For header, which any client can spoof. Fix: Changed to request.client.host — not spoofable at transport layer. - 🟡 MEDIUM — Missing security headers CSP and HSTS headers were absent. Fix: Added Content-Security-Policy, Strict-Transport-Security, and Permissions-Policy via FastAPI middleware. What I learned Running a security audit before your first paying user is much better than after. All 6 of these issues were fixable in under 2 hours — but any one of them could have caused real damage with real users. The gstack /cso skill is free, open source, and takes about 15 minutes to run. If you're building a FastAPI app or any web app , run it now. The repo: ratecalc.fyi is live. Free calculator, no signup required.