實戰:安全 API 實作
Vibe Prompt
「幫我建立一個安全的 FastAPI 服務:加入 Rate Limiting、CORS、JWT 驗證、輸入驗證、日誌記錄。」
from fastapi import FastAPI, Depends, HTTPException
from fastapi.middleware.cors import CORSMiddleware
from fastapi.security import HTTPBearer
import jwt, time, hashlib
from pydantic import BaseModel, EmailStr
from slowapi import Limiter
from slowapi.util import get_remote_address
app = FastAPI(title="安全 API 範例")
limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter
# CORS
app.add_middleware(
CORSMiddleware,
allow_origins=["https://vibe-tutor.com"],
allow_credentials=True,
allow_methods=["GET", "POST"],
allow_headers=["Authorization", "Content-Type"],
)
# Rate Limiting
@app.get("/api/public")
@limiter.limit("10/minute")
async def public_endpoint():
return {"message": "公開端點"}
# 輸入驗證
class UserCreate(BaseModel):
email: EmailStr
name: str
age: int
@validator('age')
def validate_age(cls, v):
if v < 0 or v > 150:
raise ValueError('年齡無效')
return v
@validator('name')
def sanitize_name(cls, v):
# 移除潛在的 XSS
import re
return re.sub(r'[<>"]', '', v)
@app.post("/api/users", status_code=201)
async def create_user(user: UserCreate):
# 參數化查詢
import psycopg2
conn = psycopg2.connect("dbname=test")
cur = conn.cursor()
cur.execute(
"INSERT INTO users (email, name, age) VALUES (%s, %s, %s)",
(user.email, user.name, user.age)
)
conn.commit()
return {"status": "ok"}
# 請求日誌
@app.middleware("http")
async def log_requests(request, call_next):
start = time.time()
response = await call_next(request)
elapsed = time.time() - start
print(f"{request.method} {request.url.path} {response.status_code} {elapsed:.3f}s")
return response
課程總結
Web Security 完成!
- ✅ OWASP Top 10
- ✅ SQL Injection 防護
- ✅ XSS + CSP
- ✅ CSRF + SameSite
- ✅ 安全 API 實戰
本章總結
- 理解核心概念與原理
- 掌握實作方法與技巧
- 熟悉常見問題與解決方案
- 能夠應用於實際專案
延伸閱讀
- 官方文件與 API 參考
- GitHub 開源專案範例
- 相關技術書籍與課程
- 社群討論與技術部落格