實戰:安全 API 實作

Vibe Prompt

「幫我建立一個安全的 FastAPI 服務:加入 Rate Limiting、CORS、JWT 驗證、輸入驗證、日誌記錄。」

from fastapi import FastAPI, Depends, HTTPException
from fastapi.middleware.cors import CORSMiddleware
from fastapi.security import HTTPBearer
import jwt, time, hashlib
from pydantic import BaseModel, EmailStr
from slowapi import Limiter
from slowapi.util import get_remote_address

app = FastAPI(title="安全 API 範例")
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter

# CORS
app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://vibe-tutor.com"],
    allow_credentials=True,
    allow_methods=["GET", "POST"],
    allow_headers=["Authorization", "Content-Type"],
)

# Rate Limiting
@app.get("/api/public")
@limiter.limit("10/minute")
async def public_endpoint():
    return {"message": "公開端點"}

# 輸入驗證
class UserCreate(BaseModel):
    email: EmailStr
    name: str
    age: int
    
    @validator('age')
    def validate_age(cls, v):
        if v < 0 or v > 150:
            raise ValueError('年齡無效')
        return v
    
    @validator('name')
    def sanitize_name(cls, v):
        # 移除潛在的 XSS
        import re
        return re.sub(r'[<>"]', '', v)

@app.post("/api/users", status_code=201)
async def create_user(user: UserCreate):
    # 參數化查詢
    import psycopg2
    conn = psycopg2.connect("dbname=test")
    cur = conn.cursor()
    cur.execute(
        "INSERT INTO users (email, name, age) VALUES (%s, %s, %s)",
        (user.email, user.name, user.age)
    )
    conn.commit()
    return {"status": "ok"}

# 請求日誌
@app.middleware("http")
async def log_requests(request, call_next):
    start = time.time()
    response = await call_next(request)
    elapsed = time.time() - start
    print(f"{request.method} {request.url.path} {response.status_code} {elapsed:.3f}s")
    return response

課程總結

Web Security 完成!

  • ✅ OWASP Top 10
  • ✅ SQL Injection 防護
  • ✅ XSS + CSP
  • ✅ CSRF + SameSite
  • ✅ 安全 API 實戰

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!