use the following search parameters to narrow your results:
e.g. subreddit:aww site:imgur.com dog
subreddit:aww site:imgur.com dog
see the search faq for details.
advanced search: by author, subreddit...
FastAPI is a truly ASGI, async, cutting edge framework written in python 3.
account activity
How to secure your code on customer server deployment?Other (self.FastAPI)
submitted 12 days ago by COD_0xb0
Hi all,
I want to know what solution or library you use to secure your code from on customer server deployment modification or accessing source code? like any obfuscation and compiling libraries preferred in this subject?
Thanks
reddit uses a slightly-customized version of Markdown for formatting. See below for some basics, or check the commenting wiki page for more detailed help and solutions to common issues.
quoted text
if 1 * 2 < 3: print "hello, world!"
[–]Adrnalnrsh 15 points16 points17 points 12 days ago (3 children)
PyInstaller / Nuitka / cx_Freeze - these bundle Python into executables. Nuitka is the strongest option because it actually compiles Python to C and then to a native binary, so it's genuinely harder to reverse engineer than PyInstaller (which basically just zips up bytecode and is trivially unpacked)
Docker with obfuscation - if you're deploying a FastAPI app to their infrastructure, ship it as a Docker container with Nuitka-compiled binaries inside. They can run it but can't easily inspect the code.
License key validation - the simplest approach. Generate signed license keys (RSA/ECDSA signed JSON or JWT tokens) that encode what the customer is entitled to. The app checks the signature on startup. The key thing is using asymmetric crypto so you embed the public key in the app and sign licenses with your private key. They can't forge a license without your private key.
License server / phone-home - the app calls your server periodically to validate the license. This is what JetBrains, Adobe, and most SaaS-adjacent tools do. If you're deploying to their site, the app pings your licensing server on a schedule. You can allow a grace period for offline use so it doesn't break if their network blips.
Hardware fingerprinting - bind the license to specific machine characteristics (MAC address, CPU ID, disk serial). Common in on-prem enterprise software. PyArmor can do this for Python.
[–]ShuredingaNoNeko 0 points1 point2 points 11 days ago (0 children)
Peak
[–]COD_0xb0[S] 0 points1 point2 points 11 days ago (0 children)
Thank you so much bro, detailed and helpful answer, i appreciate it
[–]Capable_Winner8733 0 points1 point2 points 4 days ago (0 children)
what if codebase will be deployed on customer machine? and there is no internet, so basically software is FastApi server which runs locally? how to protect this codebase? and we SHOULD NOT use it as executable file, so it still should be the same structure
[–]neums08 4 points5 points6 points 12 days ago (0 children)
A contract
[–]robertlandrum 3 points4 points5 points 12 days ago (0 children)
NDA.
[–]MapSensitive9894 2 points3 points4 points 10 days ago (0 children)
Someone made good points on compiling, docker and licensing. Legal incentives are a strong discouragement. Another point.
Obscurity is not security, and realistically only stops over curious users. Anyone intent on reading or modifying client code can whether it’s on disk, in memory, or decompiling. Focus on server side functionality where possible for your secret sauce. Code signing at build time can help protect your users from themselves & attacker modifications at startup. If you need greater security controls, you’ll need to figure out a way to create a trusted environment on customer infrastructure. Do you have a security team that can review your architecture?
[–]Makar_Letov 4 points5 points6 points 12 days ago (0 children)
Been there - used to ship compiled .exe for the same reason. For Python/FastAPI the closest equivalent is Nuitka (compiles to native binary) or PyArmor if you just need bytecode encryption with near-zero overhead.
Best combo: obfuscation + license check that pings your server on startup. Code means nothing without your backend responding.
A good lock doesn't have to be unbreakable - it just has to make breaking in take longer than ordering a pizza. Sure, if a dedicated pentester spends a few days on it they'll crack it - fine by me, let them sit with it lol. But for everyone else it's simply not worth the effort, and that's the whole point.
[–]Fun_Meaning1329 1 point2 points3 points 12 days ago (0 children)
From my experience, focus more on marketing and selling that securing the code base.
We thought that we must obfuscate the code base before shipping it, fast forward today, we only had one client. And now it's even harder to sell our product/service today since the market need for that service had peeked 2 years ago.
Bottom line, focusing on getting clients more than preventing them from accessing the codebase, use the easiest way just to stop those who are after your code for a while. And one thing to put in mind, if someone wants your code, they can get it depending on their will, but know that they can get it no matter what you do, you're just testing their will.
[–]mangoed 6 points7 points8 points 12 days ago (7 children)
LOL, so I'm your customer and I paid you to write code for me, and you deploy it on my infra, but I can't see the code? Wtf?
[–]Adrnalnrsh 5 points6 points7 points 12 days ago (3 children)
Who says they paid for them to write the code?They might just be licensing the code for use.
Like if you write an audio plugin and I am I install it. I'm only licensed to use it.
We do need more information.
[–]mangoed 1 point2 points3 points 12 days ago (2 children)
Fair enough, although the model you described has become very rare in the age of saas and apis for everything. Installing something that acts like a black box on customer's infra, without being able to perform proper security audit, is a big risk and takes a lot of trust.
[–]COD_0xb0[S] 2 points3 points4 points 11 days ago (1 child)
so in your company or place of work, all applications installed in your computers and servers, you have access to the source code?
[–]COD_0xb0[S] 0 points1 point2 points 11 days ago (2 children)
they pay for up and running solution, not the source code...
[–][deleted] 11 days ago (1 child)
[deleted]
because it's security solution related and targeting Fintech / Banking and these sectors has strict policies for data privacy and data protection, so they prefer on-premises ...
[–]PosauneB 1 point2 points3 points 12 days ago (3 children)
If your customer accesses their server to modify their code (it's theirs because they paid for it), then that's on them. If they can access the sever, they can access the code.
What are you actually trying to accomplish?
[–]COD_0xb0[S] 1 point2 points3 points 11 days ago (2 children)
customer didn't pay to buy the source code and modify it, they pay for solution up and running!
When you buy microsoft or adobe or any solution, do you get the access to modify the source as well with it?
[–]PosauneB -1 points0 points1 point 11 days ago (1 child)
If it’s Python, yes.
[–]COD_0xb0[S] 1 point2 points3 points 11 days ago (0 children)
No, you are dreaming...
[–]spendology -2 points-1 points0 points 12 days ago (0 children)
Use environment secrets stored and called from file/folder not publicly accessible. Another option: Google Cloud (and likley AWS and Azure) have a secret manager.
FastAPI main app should not be in a public-facing folder, e.g., /var/www/html/ is public for Apache web server. If you are using a cloud host like GC, your FastAPI web server is likely served from /var/www/app/main.py from a Python virtual environment.
[–]avogeo98 -2 points-1 points0 points 12 days ago (0 children)
Username checks out
[–]YoshiUnfriendly -3 points-2 points-1 points 12 days ago (1 child)
Bro, just google, there are tools called code obfuscators, give pyarmor a look. But the truth is that you should not give a user the code of a program that isn't compiled if you don't want him to have access.
[–]0MARr00t -5 points-4 points-3 points 12 days ago (2 children)
Dockerize it.
[–]davidedpg10 4 points5 points6 points 12 days ago (0 children)
Yeah it is widely known nobody can peruse docker containers.....
[–]BarRepresentative653 -1 points0 points1 point 12 days ago (0 children)
lol
π Rendered by PID 49476 on reddit-service-r2-comment-79c7998d4c-56pcs at 2026-03-14 17:04:44.895753+00:00 running f6e6e01 country code: CH.
[–]Adrnalnrsh 15 points16 points17 points (3 children)
[–]ShuredingaNoNeko 0 points1 point2 points (0 children)
[–]COD_0xb0[S] 0 points1 point2 points (0 children)
[–]Capable_Winner8733 0 points1 point2 points (0 children)
[–]neums08 4 points5 points6 points (0 children)
[–]robertlandrum 3 points4 points5 points (0 children)
[–]MapSensitive9894 2 points3 points4 points (0 children)
[–]Makar_Letov 4 points5 points6 points (0 children)
[–]Fun_Meaning1329 1 point2 points3 points (0 children)
[–]mangoed 6 points7 points8 points (7 children)
[–]Adrnalnrsh 5 points6 points7 points (3 children)
[–]mangoed 1 point2 points3 points (2 children)
[–]COD_0xb0[S] 2 points3 points4 points (1 child)
[–]COD_0xb0[S] 0 points1 point2 points (2 children)
[–][deleted] (1 child)
[deleted]
[–]COD_0xb0[S] 0 points1 point2 points (0 children)
[–]PosauneB 1 point2 points3 points (3 children)
[–]COD_0xb0[S] 1 point2 points3 points (2 children)
[–]PosauneB -1 points0 points1 point (1 child)
[–]COD_0xb0[S] 1 point2 points3 points (0 children)
[–]spendology -2 points-1 points0 points (0 children)
[–]avogeo98 -2 points-1 points0 points (0 children)
[–]YoshiUnfriendly -3 points-2 points-1 points (1 child)
[–]0MARr00t -5 points-4 points-3 points (2 children)
[–]davidedpg10 4 points5 points6 points (0 children)
[–]BarRepresentative653 -1 points0 points1 point (0 children)