Security Decorators¶
The decorators module provides route-level security controls that can be applied to individual FastAPI endpoints. These decorators offer fine-grained control over security policies on a per-route basis, complementing the global middleware security features.
Overview¶
Security decorators allow you to:
- Apply specific security rules to individual routes
- Override global security settings for specific endpoints
- Combine multiple security measures in a clean, readable way
- Implement behavioral analysis and monitoring per endpoint
Main Decorator Class¶
. SecurityDecorator¶
guard_core.decorators.SecurityDecorator(config)
¶
Bases: BaseSecurityDecorator, AccessControlMixin, RateLimitingMixin, BehavioralMixin, AuthenticationMixin, ContentFilteringMixin, AdvancedMixin
Source code in guard_core/decorators/base.py
The main decorator class that combines all security capabilities. This is the primary class you'll use in your application.
Example Usage:
from fastapi import FastAPI
from guard import SecurityConfig
from guard import SecurityDecorator
app = FastAPI()
config = SecurityConfig()
guard_deco = SecurityDecorator(config)
@app.get("/api/sensitive")
@guard_deco.rate_limit(requests=5, window=300)
@guard_deco.require_ip(whitelist=["10.0.0.0/8"])
@guard_deco.block_countries(["CN", "RU"])
def sensitive_endpoint():
return {"data": "sensitive"}
Base Classes¶
. BaseSecurityDecorator¶
guard_core.decorators.base.BaseSecurityDecorator(config)
¶
Source code in guard_core/decorators/base.py
agent_handler = None
instance-attribute
¶
behavior_tracker = BehaviorTracker(config)
instance-attribute
¶
config = config
instance-attribute
¶
get_route_config(route_id)
¶
initialize_agent(agent_handler)
async
¶
initialize_behavior_tracking(redis_handler=None)
async
¶
send_access_denied_event(request, reason, decorator_type, **metadata)
async
¶
Source code in guard_core/decorators/base.py
send_authentication_failed_event(request, reason, auth_type, **metadata)
async
¶
Source code in guard_core/decorators/base.py
send_decorator_event(event_type, request, action_taken, reason, decorator_type, **kwargs)
async
¶
Source code in guard_core/decorators/base.py
send_decorator_violation_event(request, violation_type, reason, **metadata)
async
¶
Source code in guard_core/decorators/base.py
send_rate_limit_event(request, limit, window, **metadata)
async
¶
Source code in guard_core/decorators/base.py
Base class providing core decorator functionality and route configuration management.
. RouteConfig¶
guard_core.decorators.base.RouteConfig()
¶
Source code in guard_core/decorators/base.py
allowed_content_types = None
instance-attribute
¶
api_key_required = False
instance-attribute
¶
auth_required = None
instance-attribute
¶
behavior_rules = []
instance-attribute
¶
block_cloud_providers = set()
instance-attribute
¶
blocked_countries = None
instance-attribute
¶
blocked_user_agents = []
instance-attribute
¶
bypassed_checks = set()
instance-attribute
¶
custom_validators = []
instance-attribute
¶
detection_scan_body = None
instance-attribute
¶
enable_suspicious_detection = True
instance-attribute
¶
enabled_detection_categories = None
instance-attribute
¶
excluded_detection_body_fields = None
instance-attribute
¶
excluded_detection_headers = None
instance-attribute
¶
excluded_detection_params = None
instance-attribute
¶
geo_rate_limits = None
instance-attribute
¶
ip_blacklist = None
instance-attribute
¶
ip_whitelist = None
instance-attribute
¶
max_request_size = None
instance-attribute
¶
rate_limit = None
instance-attribute
¶
rate_limit_window = None
instance-attribute
¶
require_https = False
instance-attribute
¶
require_referrer = None
instance-attribute
¶
required_headers = {}
instance-attribute
¶
time_restrictions = None
instance-attribute
¶
whitelist_countries = None
instance-attribute
¶
Configuration class that stores security settings for individual routes.
Mixin Classes¶
The decorator system uses mixins to organize different types of security features:
. AccessControlMixin¶
guard_core.decorators.access_control.AccessControlMixin
¶
Bases: BaseSecurityMixin
allow_countries(countries)
¶
Source code in guard_core/decorators/access_control.py
block_clouds(providers=None)
¶
Source code in guard_core/decorators/access_control.py
block_countries(countries)
¶
Source code in guard_core/decorators/access_control.py
bypass(checks)
¶
Source code in guard_core/decorators/access_control.py
require_ip(whitelist=None, blacklist=None)
¶
Source code in guard_core/decorators/access_control.py
Provides IP-based and geographic access control decorators.
Available Decorators:
@guard_deco.require_ip(whitelist=[], blacklist=[])- IP address filtering@guard_deco.block_countries(countries=[])- Block specific countries@guard_deco.allow_countries(countries=[])- Allow only specific countries@guard_deco.block_clouds(providers=[])- Block cloud provider IPs@guard_deco.bypass(checks=[])- Bypass specific security checks
. AuthenticationMixin¶
guard_core.decorators.authentication.AuthenticationMixin
¶
Bases: BaseSecurityMixin
api_key_auth(header_name='X-API-Key')
¶
Source code in guard_core/decorators/authentication.py
require_auth(type='bearer')
¶
Source code in guard_core/decorators/authentication.py
require_headers(headers)
¶
Source code in guard_core/decorators/authentication.py
require_https()
¶
Source code in guard_core/decorators/authentication.py
Provides authentication and authorization decorators.
Available Decorators:
@guard_deco.require_https()- Force HTTPS@guard_deco.require_auth(type="bearer")- Require authentication@guard_deco.api_key_auth(header_name="X-API-Key")- API key authentication@guard_deco.require_headers(headers={})- Require specific headers
. RateLimitingMixin¶
guard_core.decorators.rate_limiting.RateLimitingMixin
¶
Bases: BaseSecurityMixin
geo_rate_limit(limits)
¶
Source code in guard_core/decorators/rate_limiting.py
rate_limit(requests, window=60)
¶
Source code in guard_core/decorators/rate_limiting.py
Provides rate limiting decorators.
Available Decorators:
@guard_deco.rate_limit(requests=10, window=60)- Basic rate limiting@guard_deco.geo_rate_limit(limits={})- Geographic rate limiting
. BehavioralMixin¶
guard_core.decorators.behavioral.BehavioralMixin
¶
Bases: BaseSecurityMixin
behavior_analysis(rules)
¶
Source code in guard_core/decorators/behavioral.py
return_monitor(pattern, max_occurrences, window=86400, action='ban')
¶
Source code in guard_core/decorators/behavioral.py
suspicious_frequency(max_frequency, window=300, action='ban')
¶
Source code in guard_core/decorators/behavioral.py
usage_monitor(max_calls, window=3600, action='ban')
¶
Source code in guard_core/decorators/behavioral.py
Provides behavioral analysis and monitoring decorators.
Available Decorators:
@guard_deco.usage_monitor(max_calls, window, action)- Monitor endpoint usage@guard_deco.return_monitor(pattern, max_occurrences, window, action)- Monitor return patterns@guard_deco.behavior_analysis(rules=[])- Apply multiple behavioral rules@guard_deco.suspicious_frequency(max_frequency, window, action)- Detect suspicious frequency
. ContentFilteringMixin¶
guard_core.decorators.content_filtering.ContentFilteringMixin
¶
Bases: BaseSecurityMixin
block_user_agents(patterns)
¶
Source code in guard_core/decorators/content_filtering.py
content_type_filter(allowed_types)
¶
Source code in guard_core/decorators/content_filtering.py
custom_validation(validator)
¶
Source code in guard_core/decorators/content_filtering.py
detection_exclusion(headers=None, params=None, body_fields=None, categories=None, scan_body=None)
¶
Source code in guard_core/decorators/content_filtering.py
max_request_size(size_bytes)
¶
Source code in guard_core/decorators/content_filtering.py
require_referrer(allowed_domains)
¶
Source code in guard_core/decorators/content_filtering.py
Provides content and request filtering decorators.
Available Decorators:
@guard_deco.block_user_agents(patterns=[])- Block user agent patterns@guard_deco.content_type_filter(allowed_types=[])- Filter content types@guard_deco.max_request_size(size_bytes)- Limit request size@guard_deco.require_referrer(allowed_domains=[])- Require specific referrers@guard_deco.custom_validation(validator)- Add custom validation logic
. AdvancedMixin¶
guard_core.decorators.advanced.AdvancedMixin
¶
Bases: BaseSecurityMixin
honeypot_detection(trap_fields)
¶
Source code in guard_core/decorators/advanced.py
suspicious_detection(enabled=True)
¶
Source code in guard_core/decorators/advanced.py
time_window(start_time, end_time, timezone='UTC')
¶
Source code in guard_core/decorators/advanced.py
Provides advanced detection and time-based decorators.
Available Decorators:
@guard_deco.time_window(start_time, end_time, timezone)- Time-based access control@guard_deco.suspicious_detection(enabled=True)- Toggle suspicious pattern detection@guard_deco.honeypot_detection(trap_fields=[])- Detect bots using honeypot fields
Utility Functions¶
. get_route_decorator_config¶
guard_core.decorators.base.get_route_decorator_config(request, decorator_handler)
¶
Source code in guard_core/decorators/base.py
Extract route security configuration from the current FastAPI request.
Integration with Middleware¶
The decorators work in conjunction with the SecurityMiddleware to provide comprehensive protection:
- Route Configuration: Decorators configure route-specific settings
- Middleware Processing: SecurityMiddleware reads decorator configurations and applies them
- Override Behavior: Route-specific settings can override global middleware settings
Example Integration:
from fastapi import FastAPI
from guard import SecurityMiddleware, SecurityConfig
from guard import SecurityDecorator
app = FastAPI()
config = SecurityConfig(
enable_ip_banning=True,
enable_rate_limiting=True,
rate_limit=100,
rate_limit_window=3600
)
# Create decorator instance
guard_deco = SecurityDecorator(config)
# Apply decorators to routes
@guard_deco.rate_limit(requests=10, window=300) # Override: 10 requests/5min
@app.get("/api/limited")
def limited_endpoint():
# Uses decorator-specific rate limiting
return {"data": "limited"}
@app.get("/api/public")
def public_endpoint():
# Uses global rate limiting (100 requests/hour)
return {"data": "public"}
# Add global middleware
app.add_middleware(SecurityMiddleware, config=config)
# Set decorator handler on app state (required for integration)
app.state.guard_decorator = guard_deco
Best Practices¶
. Decorator Order¶
Apply decorators in logical order, with more specific restrictions first:
@app.post("/api/admin/sensitive")
@guard_deco.require_https() # Security requirement
@guard_deco.require_auth(type="bearer") # Authentication
@guard_deco.require_ip(whitelist=["10.0.0.0/8"]) # Access control
@guard_deco.rate_limit(requests=5, window=3600) # Rate limiting
@guard_deco.suspicious_detection(enabled=True) # Monitoring
def admin_endpoint():
return {"status": "admin action"}
. Combining Behavioral Analysis¶
Use multiple behavioral decorators for comprehensive monitoring:
@app.get("/api/rewards")
@guard_deco.usage_monitor(max_calls=50, window=3600, action="ban")
@guard_deco.return_monitor("rare_item", max_occurrences=3, window=86400, action="ban")
@guard_deco.suspicious_frequency(max_frequency=0.1, window=300, action="alert")
def rewards_endpoint():
return {"reward": "rare_item", "value": 1000}
. Geographic and Cloud Controls¶
Combine geographic and cloud provider controls:
@app.get("/api/restricted")
@guard_deco.allow_countries(["US", "CA", "GB"]) # Allow specific countries
@guard_deco.block_clouds(["AWS", "GCP"]) # Block cloud providers
def restricted_endpoint():
return {"data": "geo-restricted"}
. Content Filtering¶
Apply content filtering for upload endpoints:
@app.post("/api/upload")
@guard_deco.content_type_filter(["image/jpeg", "image/png"])
@guard_deco.max_request_size(5 * 1024 * 1024) # 5MB limit
@guard_deco.require_referrer(["myapp.com"])
def upload_endpoint():
return {"status": "uploaded"}
Error Handling¶
Decorators integrate with the middleware's error handling system. When decorator conditions are not met, appropriate HTTP responses are returned:
. 403 Forbidden¶
IP restrictions, country blocks, authentication failures
. 429 Too Many Requests¶
Rate limiting violations
. 400 Bad Request¶
Content type mismatches, missing headers
. 413 Payload Too Large¶
Request size limits exceeded
Configuration Priority¶
Security settings are applied in the following priority order:
- Decorator Settings (highest priority)
- Global Middleware Settings
- Default Settings (lowest priority)
This allows for flexible override behavior where routes can customize their security requirements while maintaining global defaults.
For IP and country access control, this priority applies per-aspect rather than as a blanket override: the global IP whitelist/blacklist and country rules always run on decorated routes. A route-level allow rule (ip_whitelist or whitelist_countries) suppresses the corresponding global gate. A route-level deny rule (ip_blacklist or blocked_countries) is additive and does not disable the global rules. Within the IP aspect, a route ip_whitelist match takes priority over that route's own ip_blacklist and over the global blacklist.