FastAPI app constructed with debug=True
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
FastAPI(debug=True) makes Starlette return a full HTML traceback, including source snippets and local variable values, for any unhandled exception. Left on in production this hands an attacker a map of the codebase on the first error they can trigger.
Why it matters
FastAPI(debug=True) makes Starlette return a full HTML traceback for any unhandled exception, including the exact source lines and local variable values at each frame. Any request that manages to trigger an unhandled error, which is often easy to find by fuzzing input, hands the requester a detailed map of your code, file paths, and possibly live secrets sitting in local variables.
How to fix it
Remove debug=True from the FastAPI() constructor in anything that runs in production, and drive it from an environment variable instead (debug=os.getenv("ENV") == "development") if you want it on locally. Add exception handlers via @app.exception_handler(Exception) that log the full error server-side and return a generic message to the client.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo