Full Web Apps with FastAPI Transcripts
Chapter: Deploying FastAPI on Linux with gunicorn and nginx
Lecture: Beware of the docs
0:00 Now, before we jump into actually see deploying the weather application,
0:04 I do wanna show you something that can be super, super important.
0:07 A security issue, if you will,
0:10 at least usability issue, potentially a security issue for your web application.
0:14 So let's, let's go over here first and look at whether.talkpython.fm
0:19 Remember, this is an API endpoint,
0:21 and it does just arbitrary http exchanges to URLs that are not necessarily obvious.
0:27 And so to help people consume this
0:29 API, FastAPI automatically builds a really cool set of documentation.
0:35 That's not obvious, so if you go to a FastAPI app and you
0:38 type "/docs", check out what you get.
0:41 Here's our one endpoint "/api/weather",
0:45 and if we scroll down, there's all these different things that are exchanged.
0:48 Like here's a forecast, and the forecast has wind,
0:50 which is made up of this stuff.
0:52 Now if we actually go and click on this,
0:54 it'll let us explore it, to try it out, so we could put in like
0:58 Portland. We could type in something there,
1:00 and it shows you what the response is gonna be. Like
1:03 look down here you have this.
1:04 Oh, what you're gonna get back, it's gonna have a weather.
1:07 the description and category, the wind,
1:09 the units, the forecast and so on.
1:12 These are the type of errors that you might expect, some kind of validation.
1:15 Well this is cool, I mean it's really cool for this
1:18 API, you know what? our web app has this too. Watch this.
1:26 So we come over here and say "/docs" and look at that.
1:29 It's every endpoint in our application, now many of these are public,
1:33 and it's totally fine. But some of them might not be.
1:36 What if we had a special, supposed to not be public,
1:39 semi secret admin section? or we had other things that maybe we use,
1:43 but we don't really want people to know about?
1:45 You wanna show those here?
1:46 Do you really want a form that lets people just arbitrarily post stuff over to the
1:50 registration? Probably not. So there's two things that we can do to make this
1:55 not show up for our website.
1:57 It makes sense for an API
1:59 but it doesn't make sense for a website.
2:01 So if we come over here,
2:03 the easiest and quickest thing to do.
2:04 Remember, there's a ton of options when you create these FastAPI instance.
2:09 One of them is the docs_url,
2:11 we can say that's None and the redoc_url, we also say
2:15 that's None. So this means just turn off the documentation entirely.
2:19 I want this all to go away.
2:20 So now if we go back to our site like this and we try "/docs",
2:27 404, there are no docs, can not do this,
2:29 forget it, no docks for you.
2:31 It could be that the reason you're using FastAPI is, most of this is
2:35 a website, but there's some really cool APIs and you would still like that
2:38 cool documentation for the APIs
2:40 but not for the website.
2:42 So we can do a slightly less intense thing over here.
2:48 We can go down to our views and let's say we just want home and about to show
2:53 up. We want those to be part of our documented API.
2:56 Of course that doesn't make sense,
2:57 but let's just say so. What we can do is we can go to these
3:00 others where we have our router, our app, and we can say include_in_schema is
3:05 False. That means exclude this endpoint from that docs
3:10 URL. Let's do that for account as well.
3:15 Now just put it on every single router.get, router.post.
3:18 It's getting include_in_schema = False.
3:24 Remember, our decision was to say,
3:26 well let's have the packages and account stuff hidden, but let's actually have this part
3:30 of our endpoint. Now, like I said,
3:32 doesn't make sense. But if you had special API endpoints like we
3:35 kind of touched on potentially over there,
3:37 then this was how you would do it.
3:39 Let's go back here and try our "/docs" again.
3:43 And yes, we have docs,
3:44 but only two. Only the two that we did not exclude.
3:48 One for getting the "/" and one for getting home slash index, home slash about,
3:53 the others are gone. But it's really important that if you don't want this html
3:57 views to be listed and shown on your site,
4:01 I cannot think why you would ever want that.
4:03 You very unlikely, very unlikely
4:05 you want that. You want to hide them, either the safest way to do it,
4:10 is to just blast them out like this.
4:12 Or if you do have APIs, you wanna be careful about that,
4:15 then you can go through and just exclude everything
4:18 you want to be hidden. That's it.
4:20 Just make sure you address this before you put it on the Internet.
4:23 Otherwise, you might find people poking around in places you didn't know that they would find