實戰:安全 API 實作
Vibe Prompt
「幫我建立一個安全的 FastAPI 服務:加入 Rate Limiting、CORS、JWT 驗證、輸入驗證、日誌記錄。」
from fastapi import FastAPI, Depends, HTTPException
from fastapi.middleware.cors import CORSMiddleware
from fastapi.security import HTTPBearer
import jwt, time, hashlib
from pydantic import BaseModel, EmailStr
from slowapi import Limiter
from slowapi.util import get_remote_address
app = FastAPI(title="安全 API 範例")
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
# CORS
app.add_middleware(
CORSMiddleware,
allow_origins=["https://vibe-tutor.com"],
allow_credentials=True,
allow_methods=["GET", "POST"],
allow_headers=["Authorization", "Content-Type"],
)
# Rate Limiting
@app.get("/api/public")
@limiter.limit("10/minute")
async def public_endpoint():
return {"message": "公開端點"}
# 輸入驗證
class UserCreate(BaseModel):
email: EmailStr
name: str
age: int
@validator('age')
def validate_age(cls, v):
if v < 0 or v > 150:
raise ValueError('年齡無效')
return v
@validator('name')
def sanitize_name(cls, v):
# 移除潛在的 XSS
import re
return re.sub(r'[<>"]', '', v)
@app.post("/api/users", status_code=201)
async def create_user(user: UserCreate):
# 參數化查詢
import psycopg2
conn = psycopg2.connect("dbname=test")
cur = conn.cursor()
cur.execute(
"INSERT INTO users (email, name, age) VALUES (%s, %s, %s)",
(user.email, user.name, user.age)
)
conn.commit()
return {"status": "ok"}
# 請求日誌
@app.middleware("http")
async def log_requests(request, call_next):
start = time.time()
response = await call_next(request)
elapsed = time.time() - start
print(f"{request.method} {request.url.path} {response.status_code} {elapsed:.3f}s")
return response
課程總結
Web Security 完成!
- ✅ OWASP Top 10
- ✅ SQL Injection 防護
- ✅ XSS + CSP
- ✅ CSRF + SameSite
- ✅ 安全 API 實戰