Http Request Smuggling in Fastapi with Basic Auth

HTTP Request Smuggling arises from discrepancies in how a frontend proxy (load balancer, API gateway, or WSG/ASGI server) and the application parse HTTP message boundaries, typically involving Content-Length versus Transfer-Encoding headers. In FastAPI, which runs on Starlette/Uvicorn, the framework relies on the underlying server for initial header parsing. When Basic Authentication is enforced via middleware or dependency injection before routing, the request may still reach the application after the proxy has already processed or misinterpreted the body boundaries.

Consider a setup where a reverse proxy uses Content-Length to delimit requests while FastAPI/Starlette processes Transfer-Encoding: chunked due to a misconfigured or chained proxy. An attacker can craft two requests smuggled together: the first a legitimate authenticated request with Basic Auth credentials, and the second a malicious request targeting an internal endpoint that assumes the user is already authenticated. Because the proxy and application disagree on request boundaries, the second request is processed in the context of the first user’s session, bypassing intended isolation. This exposes unauthenticated attack surface if the scanner probes an endpoint that should require authentication but is reached via a smuggled path.

With Basic Auth, credentials are passed in the Authorization header (Basic base64(username:password)). If the smuggling mismatch causes the application to accept a request where the Authorization header is interpreted differently by the proxy and the app, an attacker may inject headers or change the effective target. For example, a PROPFIND or other method allowed at the proxy but not by FastAPI’s routes can be smuggled through, and the Basic Auth header may be retained or stripped inconsistently. The scanner’s unauthenticated checks might then see an endpoint as open when it should require credentials, or observe reflected secrets in error messages that should be hidden behind authentication.

Because middleBrick tests the unauthenticated attack surface, it can detect endpoints that respond without proper authentication when accessed via ambiguous request boundaries. The 12 security checks run in parallel, and findings such as BOLA/IDOR or Property Authorization may surface when a smuggled request reveals data or actions not intended for anonymous clients. The scanner does not fix the parsing mismatch but highlights where responses differ based on header smuggling, enabling you to correlate runtime behavior with spec definitions from an OpenAPI/Swagger spec that includes security schemes like httpBasic.

Remediation centers on ensuring consistent request parsing and strict authentication enforcement so that smuggled requests cannot change the effective identity or target. Use explicit security schemes in your OpenAPI definition and validate credentials before routing. Below are concrete FastAPI examples that align with remediation guidance you can reference in reports and compliance mappings to frameworks like OWASP API Top 10 and SOC2.

Example 1: Explicit HTTP Basic Auth dependency with strict header handling

from fastapi import FastAPI, Depends, HTTPException, Security, status
from fastapi.security import HTTPBasic, HTTPBasicCredentials
import secrets

app = FastAPI()
security = HTTPBasic()

def get_current_user(credentials: HTTPBasicCredentials = Security(security)):
    # Use constant-time comparison to mitigate timing attacks
    correct_username = secrets.compare_digest(credentials.username, "admin")
    correct_password = secrets.compare_digest(credentials.password, "s3cr3t")
    if not (correct_username and correct_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid credentials",
            headers={"WWW-Authenticate": "Basic"},
        )
    return credentials.username

@app.get("/secure")
async def read_secure(user: str = Security(get_current_user)):
    return {"message": f"Hello, {user}"}

Example 2: Enforce HTTPS and avoid forwarding ambiguity via middleware

from fastapi import FastAPI, Request
from fastapi.middleware import Middleware
from fastapi.middleware.trustedhost import TrustedHostMiddleware
from starlette.middleware.base import BaseHTTPMiddleware
import re

class HeaderNormalizationMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
        # Reject requests that mix Transfer-Encoding and Content-Length
        te = request.headers.get("transfer-encoding")
        cl = request.headers.get("content-length")
        if te and cl:
            raise HTTPException(status_code=400, detail="Conflicting headers")
        # Normalize known smuggling indicators
        # (example: drop suspiciously duplicated headers)
        response = await call_next(request)
        return response

app = FastAPI(middleware=[Middleware(HeaderNormalizationMiddleware)])

@app.get("/items/{item_id}")
async def read_item(item_id: int, x_api_key: str = Header(None)):
    if not x_api_key or not x_api_key.startswith("Bearer "):
        raise HTTPException(status_code=403, detail="API key required")
    return {"item_id": item_id}

Remediation checklist specific to smuggling + Basic Auth

• Ensure your proxy and application agree on Content-Length/Transfer-Encoding parsing; disable chunked encoding at the proxy if not required.
• Validate the Authorization header on every route that requires authentication and do not rely solely on proxy-level enforcement.
• Use HTTPS to prevent credential leakage in transit and to reduce header manipulation opportunities.
• Apply consistent host and header validation middleware to reject malformed or ambiguous requests before routing.
• Map findings to compliance frameworks: OWASP API Top 10 (2023) API1:2023 Broken Object Level Authorization and API5:2023 Security Misconfiguration, PCI-DSS Req 6.5, SOC2 CC6.1.

By combining explicit security dependencies, header normalization, and OpenAPI spec validation, you reduce the risk that a smuggled request can change authentication context or target. middleBrick can highlight mismatches between spec-defined security schemes and runtime behavior, supporting your remediation and compliance reporting.