FastAPI default configuration leaks traffic information to multiple third parties

3 min read Original article ↗

First check

  • I added a very descriptive title to this issue.
  • I used the GitHub search to find a similar issue and didn't find it.
  • I searched the FastAPI documentation, with the integrated search.
  • I already searched in Google "How to X in FastAPI" and didn't find any information.
  • I already read and followed all the tutorial in the docs and didn't find an answer.
  • I already checked if it is not related to FastAPI but to Pydantic.
  • I already checked if it is not related to FastAPI but to Swagger UI.
  • I already checked if it is not related to FastAPI but to ReDoc.
  • After submitting this, I commit to one of:
    • Read open issues with questions until I find 2 issues where I can help someone and add a comment to help there.
    • I already hit the "watch" button in this repository to receive notifications and I commit to help at least 2 people that ask questions in the future.
    • Implement a Pull Request for a confirmed bug.

Example

from fastapi import FastAPI

app = FastAPI()

Description

  • Visiting /docs or /redocs in the example application leaks browser fingerprint, IP address and referer headers to multiple third party sites.

  • Using the documentation offline is impossible by default.

Environment

  • FastAPI 0.62.0

  • Python 3.8

Additional context

The FastAPI integrated documentation, which is pretty much its headline feature, by default depends on:

  • a favicon loaded from tiangolo.com
  • Javascript libraries loaded from jsdelivr.net

This leaks internal hostnames to two third party sites, in addition to creating an artificial dependency on working DNS, SSL and networking to any FastAPI application. Per #382, although it is possible to self-host, the procedure involved is significantly less than convenient, sufficiently so that an alternative solution may be preferred over FastAPI.

There are two major problems with this default that would induce me to vocally discourage further use of the framework internally:

  • Security-wise it is a huge red flag, and makes it factual to say that FastAPI is not secure by default. One must wonder what else there is to discover about FastAPI or its choice of dependencies, that the average user has no time to discover.

  • The favicon in particular amounts to an undocumented web stats tracker embedded in every FastAPI application. It does not matter whether the traffic logs on the server side are treated in this manner, the existence of the tracker is completely unacceptable. Accidental conveniences like this are far too common on the web to be treated as unintentional.

I would be willing to submit a PR to reduce https://fastapi.tiangolo.com/advanced/extending-openapi/#self-hosting-javascript-and-css-for-docs to a one-liner, but would be even happier to produce a PR making it the default behaviour. Since the latter case would require a new dependency on aiofiles, perhaps it is worth discussing first if there is any interest from the project.