Pii Leakage in Fastapi with Basic Auth

Basic Authentication in FastAPI transmits credentials in an Authorization header as a base64-encoded string that is easily decoded. Because base64 is reversible and not encrypted, credentials are exposed in transit without transport-layer protection if TLS is absent or misconfigured. This places username and password at risk of interception and contributes directly to PII leakage when the same credentials are reused or linked to user records.

In FastAPI applications that rely solely on Basic Auth without additional protections, developers may inadvertently expose PII through multiple pathways. For example, if route handlers log incoming headers for debugging, the Authorization header containing credentials can be written to logs and persisted in log aggregation systems. Log files that are not properly restricted become a storage location for PII, and access to these logs can lead to credential compromise. MiddleBrick detects system prompt leakage and output anomalies; for API security, it similarly flags insecure authentication transports and unsafe logging practices that can expose PII.

Another vector involves error messages and stack traces. FastAPI’s default exception handlers may return detailed errors in responses when authentication fails or when request parsing encounters issues. If those responses include references to usernames, emails, or other user metadata, they constitute PII leakage in error payloads. Attackers can use these messages to enumerate valid users or infer relationships between API consumers and data subjects. The 12 security checks in MiddleBrick run in parallel and include Data Exposure and Input Validation assessments, which help identify such leakage paths in unauthenticated scans.

Middleware and proxy configurations can exacerbate the risk. When FastAPI sits behind a reverse proxy or load balancer that terminates TLS but forwards requests over HTTP internally, the Authorization header can traverse internal networks unprotected. If internal logging, monitoring, or microservice communication captures these headers, PII is effectively exposed within the infrastructure. MiddleBrick’s unauthenticated black-box scanning tests the external attack surface and can surface weak transport configurations that facilitate PII leakage even when authentication is present.

Finally, specification-driven tools like MiddleBrick analyze OpenAPI and Swagger definitions with full $ref resolution and cross-reference them with runtime findings. If the spec describes Basic Auth over non-HTTPS or omits security schemes correctly, the documentation itself becomes an indicator of risk. By combining spec analysis with checks on Authentication, Data Exposure, and Encryption, MiddleBrick provides prioritized findings with severity ratings and remediation guidance to address PII leakage stemming from Basic Auth deployments.

To mitigate PII leakage when using Basic Auth in FastAPI, enforce HTTPS everywhere and avoid logging sensitive headers. Combine transport security with strict validation and secure handling of credentials. Below are concrete code examples demonstrating secure patterns.

First, ensure your application requires HTTPS in production by using a middleware that rejects HTTP requests or redirects them to HTTPS. While this does not encrypt the credentials by itself, it works alongside TLS termination at the proxy or load balancer to protect the Authorization header in transit.

from fastapi import FastAPI, Request, HTTPException
from fastapi.responses import JSONResponse

app = FastAPI()

@app.middleware("http")
async def enforce_https(request: Request, call_next):
    if not request.url.scheme == "https":
        return JSONResponse(
            status_code=400,
            content={"detail": "HTTPS is required"},
        )
    response = await call_next(request)
    return response

Second, avoid logging Authorization headers. Configure logging filters to scrub sensitive headers before they are written to disk or external services.

import logging

class SensitiveHeaderFilter(logging.Filter):
    def filter(self, record):
        # Prevent Authorization headers from being logged in messages
        if hasattr(record, "message"):
            record.msg = record.msg.replace("Authorization", "[REDACTED]")
        return True

logger = logging.getLogger("api_logger")
logger.addFilter(SensitiveHeaderFilter())

Third, use HTTPException with generic messages for authentication failures to prevent user enumeration via error details. Do not include usernames or emails in the response body.

from fastapi.security import HTTPBasic, HTTPBasicCredentials
from fastapi import Depends, Security
import secrets

security = HTTPBasic()

def get_current_user(credentials: HTTPBasicCredentials = Security(security)):
    user = verify_user(credentials.username, credentials.password)
    if user is None:
        raise HTTPException(status_code=401, detail="Invalid credentials")
    return user

Finally, if possible, migrate from Basic Auth to more secure mechanisms such as OAuth2 with scopes or session-based authentication that do not repeatedly transmit reusable credentials. When Basic Auth is unavoidable, rotate credentials frequently and monitor for anomalous access patterns using tools that integrate with your CI/CD pipeline, such as the MiddleBrick GitHub Action, which can fail builds if security scores drop below your defined threshold.