Full Web Apps with FastAPI Transcripts
Chapter: Deploying FastAPI on Linux with gunicorn and nginx
Lecture: Beware of the docs

Login or purchase this course to watch this video and the rest of the course contents.
0:00 Now, before we jump into actually see deploying the weather application, I do wanna show you something that can be super, super important.
0:08 A security issue, if you will, at least usability issue, potentially a security issue for your web application.
0:15 So let's, let's go over here first and look at whether.talkpython.fm Remember, this is an API endpoint,
0:22 and it does just arbitrary http exchanges to URLs that are not necessarily obvious. And so to help people consume this
0:30 API, FastAPI automatically builds a really cool set of documentation. That's not obvious, so if you go to a FastAPI app and you
0:39 type "/docs", check out what you get. Here's our one endpoint "/api/weather",
0:46 and if we scroll down, there's all these different things that are exchanged. Like here's a forecast, and the forecast has wind,
0:51 which is made up of this stuff. Now if we actually go and click on this, it'll let us explore it, to try it out, so we could put in like
0:59 Portland. We could type in something there, and it shows you what the response is gonna be. Like look down here you have this.
1:05 Oh, what you're gonna get back, it's gonna have a weather. the description and category, the wind, the units, the forecast and so on.
1:13 These are the type of errors that you might expect, some kind of validation. Well this is cool, I mean it's really cool for this
1:19 API, you know what? our web app has this too. Watch this. So we come over here and say "/docs" and look at that.
1:30 It's every endpoint in our application, now many of these are public, and it's totally fine. But some of them might not be.
1:37 What if we had a special, supposed to not be public, semi secret admin section? or we had other things that maybe we use,
1:44 but we don't really want people to know about? You wanna show those here?
1:47 Do you really want a form that lets people just arbitrarily post stuff over to the
1:51 registration? Probably not. So there's two things that we can do to make this not show up for our website. It makes sense for an API
2:00 but it doesn't make sense for a website. So if we come over here, the easiest and quickest thing to do.
2:05 Remember, there's a ton of options when you create these FastAPI instance. One of them is the docs_url,
2:12 we can say that's None and the redoc_url, we also say that's None. So this means just turn off the documentation entirely. I want this all to go away.
2:21 So now if we go back to our site like this and we try "/docs", 404, there are no docs, can not do this, forget it, no docks for you.
2:32 It could be that the reason you're using FastAPI is, most of this is a website, but there's some really cool APIs and you would still like that
2:39 cool documentation for the APIs but not for the website. So we can do a slightly less intense thing over here.
2:49 We can go down to our views and let's say we just want home and about to show up. We want those to be part of our documented API.
2:57 Of course that doesn't make sense, but let's just say so. What we can do is we can go to these
3:01 others where we have our router, our app, and we can say include_in_schema is False. That means exclude this endpoint from that docs
3:11 URL. Let's do that for account as well. Now just put it on every single router.get, router.post. It's getting include_in_schema = False.
3:25 Remember, our decision was to say, well let's have the packages and account stuff hidden, but let's actually have this part
3:31 of our endpoint. Now, like I said, doesn't make sense. But if you had special API endpoints like we kind of touched on potentially over there,
3:38 then this was how you would do it. Let's go back here and try our "/docs" again. And yes, we have docs,
3:45 but only two. Only the two that we did not exclude. One for getting the "/" and one for getting home slash index, home slash about,
3:54 the others are gone. But it's really important that if you don't want this HTML views to be listed and shown on your site,
4:02 I cannot think why you would ever want that. You very unlikely, very unlikely you want that. You want to hide them, either the safest way to do it,
4:11 is to just blast them out like this. Or if you do have APIs, you wanna be careful about that, then you can go through and just exclude everything
4:19 you want to be hidden. That's it. Just make sure you address this before you put it on the Internet.
4:24 Otherwise, you might find people poking around in places you didn't know that they would find

Talk Python's Mastodon Michael Kennedy's Mastodon