🐍 Python, FastAPI, and Django Security Review Guide

Intro: Python stacks are productive and easy to expose through APIs, admin interfaces, and automation jobs. The security review should focus on where framework safety ends and project-specific risk begins.

What this page includes

• framework-aware review points for Django and FastAPI
• common authorization, serialization, and admin mistakes
• release criteria for Python-based services
• prompts for reviewers and maintainers

Django review focus

Inspect:

• admin exposure and role scoping;
• CSRF and trusted origin configuration for forms and admin actions;
• unsafe serializer or model exposure patterns;
• file upload and media serving boundaries;
• host, proxy, and allowed-origin assumptions;
• management endpoints and debug behaviors.

FastAPI review focus

Inspect:

• OAuth2 scope design and actual server-side enforcement;
• dependency injection paths that may bypass authorization checks;
• generated API docs exposure;
• validation gaps between Pydantic models and real business rules;
• background tasks and webhook receivers with weak verification.

Release criteria

Require evidence that:

• object ownership is verified server-side for critical endpoints;
• privileged admin or maintenance routes are separated and logged;
• API docs, debug features, and health endpoints are intentionally exposed rather than accidentally reachable;
• file processing and retrieval paths are tenant-safe.

Related pages

• API Authentication and Authorization
• File Upload, Download, and Browser Rendering Risks

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.