Overzealous defaults?

[petri]

I got blocked / banned just by using a a browser to access the fastapi openapi docs a few times: "Potential attack detected" and "Suspicious activity detected" from my own browser.

No idea why. Are there some defaults that are overzealous?

Is there any way to unban myself? My IP is whitelisted but that seems not to help. The docs don't clearly say whether giving an IP whitelist always blocks everything else, or...?

Great promise in this package but a bit of rough edges here...

Also, would be nice to be able to give CIDR address ranges to the IP whitelist/blacklist options, and whitelist by country.

[rennf93]

Thank you for bringing this to my attention. I see what you mean, the issue you're facing.

I've been checking the code, and I think I found some possible causes for the issue:

• Pattern matching -> As you pointed out, some patterns might be producing false positives like in your case with the /docs site.
• Whitelist priority -> There's a piece of code that seems not to be respecting the whitelist above other.
• UnBan feature -> There's no unban method atm, but it must be implemented.
• CIDR ranges -> The current implementation doesn't support CIDR notation for IP ranges in the whitelist and blacklist, but could possibly implement it on the same fix for the above mentioned issues.

I will now proceed with the development and testing of these fixes. I'll keep you updated.

Thanks again for your feedback!