FastAPI + Postgres + Render security playbook

Updated Apr 24, 2026

Fast Python stack for AI-features-heavy apps. Auth boundary: Depends(get_current_user) on every protected route. SQL boundary: never raw text() without parameter binding.

What breaks on this stack

Route without Depends(get_current_user)

Forgetting the auth dependency ships unauthenticated.

Read the guide →

BOLA on path parameters

@app.get('/orders/{id}') without ownership check.

Read the guide →

SQLAlchemy raw text() without parameters

session.execute(text(f'select ...{id}')) is SQL injection.

Read the guide →

Render env-group leaks

Env groups shared across services; one service's leaked secret affects all.

Read the guide →

Pre-ship checklist

Depends(get_current_user) on every protected route
ownership check on every path param
SQLAlchemy uses parameter binding only
Render env groups scoped per service
psycopg connection pool sized
Render auto-deploy gated on tests passing

Starter config

# app/auth.py - canonical Depends pattern
from fastapi import Depends, HTTPException
async def get_current_user(token: str = Depends(oauth2_scheme)) -> User:
    user = await verify_jwt(token)
    if not user: raise HTTPException(401, "unauthenticated")
    return user