Forem: Tagg The latest articles on Forem by Tagg (@tagg_dev). https://forem.com/tagg_dev https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3855664%2F79ef1341-90a0-494f-9111-7dcb903f3209.png Forem: Tagg https://forem.com/tagg_dev en Zero-Cost API Infrastructure: Running a DaaS Business on an Idle Server Tagg Sun, 05 Apr 2026 08:17:51 +0000 https://forem.com/tagg_dev/zero-cost-api-infrastructure-running-a-daas-business-on-an-idle-server-fac https://forem.com/tagg_dev/zero-cost-api-infrastructure-running-a-daas-business-on-an-idle-server-fac <h2> I Had a Server Doing Nothing 22 Hours a Day </h2> <p>I run quantitative trading bots — one for the Korean stock market, one for the US market, one for crypto. They sit on AWS and GCP, watching for signals, executing trades, then going back to sleep.</p> <p>Most of the time, these servers are idle. And AWS isn't free forever — once the 12-month free tier expired, I was looking at ~$10/month for a t2.micro doing almost nothing for most of the day.</p> <p>So I asked myself: <strong>what if the idle server could pay for itself?</strong></p> <h2> The Idea: Data-as-a-Service on RapidAPI </h2> <p>I'm not a professional developer. My background is in IT architecture — I understand systems, infrastructure, and data flows. But I'd never built an API from scratch before.</p> <p>What changed was AI-assisted development. With vibe coding (writing in natural language, letting AI generate the code), I could suddenly build things that would have taken me months to learn the traditional way.</p> <p>I needed a product that:</p> <ol> <li> <strong>Runs on the same server</strong> as my trading bots without interference</li> <li> <strong>Requires minimal maintenance</strong> — no daily babysitting</li> <li> <strong>Has near-zero marginal cost</strong> — data I can get for free</li> <li> <strong>Generates recurring revenue</strong> — subscriptions, not one-time sales</li> </ol> <p>That pointed me to DaaS (Data-as-a-Service): take publicly available but hard-to-access data, clean it up, and serve it through a REST API on RapidAPI.</p> <h2> Why Korean Data? </h2> <p>Here's something most developers outside Korea don't realize: <strong>Korean government data is locked behind walls that have nothing to do with technology.</strong></p> <ul> <li>Government websites are Korean-only</li> <li>Authentication requires Korean phone numbers or certificates</li> <li>Data is scattered across multiple agencies in incompatible formats</li> <li>Documentation is in Korean PDFs, not API specs</li> </ul> <p>If you're a developer in Romania or Brazil trying to check whether a cosmetic ingredient is legal in Korea, you're stuck. Google Translate won't help you navigate a government portal that requires Korean authentication.</p> <p>This is a <strong>moat</strong>. Not a technical one — a linguistic and bureaucratic one. And it applies to dozens of Korean datasets that foreign businesses need.</p> <p>I chose cosmetic ingredients because K-Beauty is a global trend, and regulatory compliance data is something businesses will pay for.</p> <h2> The Stack: Deliberately Boring </h2> <p>I intentionally picked the simplest tools that would work:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Component</th> <th>Choice</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td><strong>Language</strong></td> <td>Python</td> <td>Already using it for trading bots</td> </tr> <tr> <td><strong>Framework</strong></td> <td>FastAPI</td> <td>Fast, auto-docs, type validation</td> </tr> <tr> <td><strong>Database</strong></td> <td>SQLite</td> <td>Zero config, read-only, fast for ~22K records</td> </tr> <tr> <td><strong>Server</strong></td> <td>Gunicorn + Uvicorn</td> <td>Production-ready, 2 workers</td> </tr> <tr> <td><strong>Container</strong></td> <td>Docker</td> <td>Same environment everywhere</td> </tr> <tr> <td><strong>Hosting</strong></td> <td>AWS EC2 (existing)</td> <td>Already paying for it</td> </tr> <tr> <td><strong>Distribution</strong></td> <td>RapidAPI</td> <td>Handles auth, billing, marketing</td> </tr> <tr> <td><strong>Monitoring</strong></td> <td>Telegram alerts</td> <td>10 alert types, instant notifications</td> </tr> </tbody> </table></div> <p><strong>Why SQLite?</strong> My data is essentially static — updated monthly. SQLite in read-only mode gives me sub-50ms response times with zero database administration. No connection pools, no migration scripts, no separate database server. The entire database is a single file I can back up with <code>cp</code>.</p> <p><strong>Why RapidAPI?</strong> They take 20% of revenue, which stings. But they handle payment processing, API key management, rate limiting, and put my API in front of millions of developers. For a solo operation, that trade-off makes sense — especially at the start.</p> <h2> Cost Structure: Actually Zero </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Item</th> <th>Monthly Cost</th> </tr> </thead> <tbody> <tr> <td>AWS EC2</td> <td>$0 (shared with trading bots)</td> </tr> <tr> <td>Domain</td> <td>$0 (not purchased yet)</td> </tr> <tr> <td>SSL</td> <td>$0 (RapidAPI handles it)</td> </tr> <tr> <td>Database</td> <td>$0 (SQLite file)</td> </tr> <tr> <td>CDN</td> <td>$0 (not needed)</td> </tr> <tr> <td>Monitoring</td> <td>$0 (Telegram bot API is free)</td> </tr> <tr> <td><strong>Total fixed cost</strong></td> <td><strong>$0</strong></td> </tr> </tbody> </table></div> <p>The only cost is RapidAPI's 20% commission — but that only kicks in when I'm making money. Zero risk.</p> <p>If one PRO subscriber signs up at $29/month, I keep ~$23 after commission. That alone covers the AWS bill when free tier ends.</p> <h2> Resource Sharing: Bots + API on One Server </h2> <p>This was the part I was most worried about. Trading bots need to execute quickly when signals fire. Would the API interfere?</p> <p>In practice, it's fine:</p> <ul> <li> <strong>Trading bots</strong> spike CPU for a few seconds during market hours, then sleep</li> <li> <strong>API</strong> handles occasional requests throughout the day</li> <li> <strong>Docker</strong> isolates the API from the bot processes</li> <li> <strong>SQLite read-only</strong> means no disk write contention</li> </ul> <p>The key insight: most API businesses at the early stage get very few requests. I'm not serving 10,000 requests per second — I'm serving maybe 10 per day. The server barely notices.</p> <p>If traffic ever grows to the point where contention becomes real, that's a champagne problem. I'll spin up a dedicated instance and the API revenue will easily cover it.</p> <h2> What I Built </h2> <p><strong>K-Beauty Cosmetic Ingredients API</strong> — 21,796 ingredients with regulatory data across 10 countries.</p> <p>Four pricing tiers:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tier</th> <th>Price</th> <th>Requests/Month</th> </tr> </thead> <tbody> <tr> <td>BASIC</td> <td>Free</td> <td>100</td> </tr> <tr> <td>PRO</td> <td>$29</td> <td>2,000</td> </tr> <tr> <td>ULTRA</td> <td>$79</td> <td>5,000</td> </tr> <tr> <td>MEGA</td> <td>$199</td> <td>15,000</td> </tr> </tbody> </table></div> <p>The free tier exists for discovery. The paid tiers add more data fields, partial text search, and country-specific regulation data.</p> <h2> Infrastructure That Runs Itself </h2> <p>Since I can't babysit the server, I automated everything I could:</p> <p><strong>Telegram Alerts (10 types):</strong></p> <ul> <li>Server start/stop</li> <li>500 errors (instant notification)</li> <li>Authentication failures</li> <li>Rate limit violations</li> <li>New subscriber / cancellation</li> <li>Daily stats and weekly revenue (planned)</li> </ul> <p><strong>Docker restart policy:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">--restart</span><span class="o">=</span>always </code></pre> </div> <p>If the container crashes at 3 AM, Docker brings it back up. I find out in the morning from the Telegram alert, but the API was down for maybe 5 seconds.</p> <p><strong>Server management script:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>bash deploy.sh <span class="c"># 1) Status check</span> <span class="c"># 2) Restart</span> <span class="c"># 3) Full redeploy (stop → build → run)</span> <span class="c"># 4) Live logs</span> <span class="c"># 5) Stop</span> <span class="c"># 6) Rollback to previous DB</span> </code></pre> </div> <p>One script, six options. No remembering Docker commands.</p> <p><strong>Data updates:</strong> Monthly. Download two Excel files from the government open data portal, run a build script, deploy. Total time: about 15 minutes of hands-on work.</p> <h2> Security on a Budget </h2> <p>Just because it's a side project doesn't mean I can skip security:</p> <ul> <li> <strong>RapidAPI Proxy Secret</strong> — blocks direct access to the server</li> <li> <strong>Per-tier rate limiting</strong> — prevents abuse (BASIC: 10/min, MEGA: 40/min)</li> <li> <strong>Input validation</strong> — min/max length, type checking, SQL wildcard escaping</li> <li> <strong>Docker non-root user</strong> — container runs as <code>apiuser</code>, not root</li> <li> <strong>SQLite read-only mode</strong> — even if someone gets in, they can't modify data</li> <li> <strong>HSTS headers</strong> — forces HTTPS</li> <li> <strong>Security headers</strong> — nosniff, frame deny, XSS protection</li> </ul> <p>Total cost of all this security: $0. It's all code-level.</p> <h2> Lessons After One Month </h2> <h3> 1. The hardest part isn't building — it's marketing </h3> <p>The API works. The docs are good. The data is solid. But discovery is the bottleneck. RapidAPI's marketplace helps, but it's not magic. I've written blog posts, set up GitHub examples, and optimized my listing. It's a slow grind.</p> <h3> 2. Government data is messy but valuable </h3> <p>Cleaning and normalizing data from multiple government sources took far longer than building the API. But that mess is exactly what creates value — if it were clean and easy to access, someone would have done it already.</p> <h3> 3. Vibe coding works for real products </h3> <p>I built this entire system — scraper, database builder, API server, deployment pipeline, monitoring — using AI-assisted development. Not as a toy project, but as a production service handling real requests. The key is having enough IT knowledge to architect the system, even if you can't write every line of code from memory.</p> <h3> 4. Start with zero fixed costs </h3> <p>If your side project costs $0 to run, you can wait indefinitely for product-market fit. No pressure to monetize immediately. No "burning runway." The server is already there, the tools are free, and RapidAPI only charges when you earn. This patience is a competitive advantage.</p> <h2> Revenue So Far </h2> <p>Let's be honest: close to zero. One free-tier user from Romania tested the API. No paid subscribers yet.</p> <p>But that's okay. The API is live, the infrastructure runs itself, and my total investment is time — no money. I'll keep improving the product, writing about it, and waiting for the right customers to find it.</p> <p>The trading bots haven't made me rich either. But between DaaS subscriptions and quantitative trading, I'm building multiple income streams that don't require me to be physically present. That's the goal.</p> <h2> The Framework: Applicable Beyond K-Beauty </h2> <p>The approach works for any closed-ecosystem data:</p> <ol> <li> <strong>Find data that's publicly available but practically inaccessible</strong> (language barriers, authentication, format issues)</li> <li><strong>Clean it and serve it through a standard REST API</strong></li> <li><strong>Host it on infrastructure you're already paying for</strong></li> <li><strong>Distribute through a marketplace that handles billing</strong></li> <li><strong>Automate monitoring so you don't have to watch it</strong></li> </ol> <p>Korean business registration data, customs clearance codes, pharmaceutical approvals — there are dozens of datasets locked behind Korean-language government portals that international businesses need.</p> <p>Each one is a potential API product. Same stack, same server, same pattern.</p> <h2> Try It </h2> <p>If you're curious about the API itself:</p> <p>🔗 <a href="https://rapidapi.com/han8212/api/k-beauty-cosmetic-ingredients" rel="noopener noreferrer">K-Beauty Cosmetic Ingredients API on RapidAPI</a></p> <p>📂 <a href="https://github.com/han-tagg/Korean-cosmetic-ingredients-api" rel="noopener noreferrer">GitHub - Example Code</a></p> <p>If you're thinking about turning your own idle server into a side business, I'd love to hear your ideas. Drop a comment below.</p> sideprojects api python indiehacker I Added Regulation Data From 10 Countries to My Cosmetic Ingredients API — Here's What I Found Tagg Sat, 04 Apr 2026 15:08:49 +0000 https://forem.com/tagg_dev/i-added-regulation-data-from-10-countries-to-my-cosmetic-ingredients-api-heres-what-i-found-c73 https://forem.com/tagg_dev/i-added-regulation-data-from-10-countries-to-my-cosmetic-ingredients-api-heres-what-i-found-c73 <h2> The Backstory </h2> <p>A few weeks ago, I launched a REST API for Korean cosmetic ingredients — 21,000+ ingredients from official Korean government sources, searchable by INCI name, CAS number, and Korean name.</p> <p>(<a href="https://dev.to/tagg_dev/i-built-an-api-for-21000-korean-cosmetic-ingredients-heres-why-5bao">Original post here</a>)</p> <p>The API worked. But I kept getting the same question from the cosmetic industry people I talked to:</p> <blockquote> <p>"Cool, but what about EU regulations? What about China?"</p> </blockquote> <p>Fair point. If you're formulating cosmetics for global markets, knowing that an ingredient is restricted <em>in Korea</em> is only part of the puzzle. You need to know if it's also banned in the EU, restricted in China, or flagged in ASEAN.</p> <p>So I went down the rabbit hole.</p> <h2> What I Found: A Hidden Goldmine </h2> <p>Korea's Ministry of Food and Drug Safety (MFDS) doesn't just track Korean regulations. Their database at <a href="https://nedrug.mfds.go.kr" rel="noopener noreferrer">nedrug.mfds.go.kr</a> contains <strong>regulation data for 10 countries</strong>, all in one place:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Country</th> <th>Records</th> </tr> </thead> <tbody> <tr> <td>EU</td> <td>5,301</td> </tr> <tr> <td>ASEAN</td> <td>4,843</td> </tr> <tr> <td>China</td> <td>4,145</td> </tr> <tr> <td>South Korea</td> <td>4,046</td> </tr> <tr> <td>Brazil</td> <td>4,022</td> </tr> <tr> <td>Argentina</td> <td>4,022</td> </tr> <tr> <td>Taiwan</td> <td>2,137</td> </tr> <tr> <td>Canada</td> <td>1,947</td> </tr> <tr> <td>Japan</td> <td>386</td> </tr> <tr> <td>USA</td> <td>111</td> </tr> </tbody> </table></div> <p><strong>30,960 regulation records</strong> total. Each one tells you whether an ingredient is prohibited or restricted in that country, with detailed conditions — concentration limits, product type restrictions, and usage warnings.</p> <p>The catch? The data is:</p> <ul> <li>Embedded in HTML pages as JavaScript JSON arrays</li> <li>Behind a Korean-language interface</li> <li>Spread across 7,257 individual pages</li> <li>No API, no download button</li> </ul> <p>Sound familiar?</p> <h2> The Scraping Challenge </h2> <h3> 7,257 pages. One request at a time. </h3> <p>The MFDS detail pages have an interesting structure. Each page contains a JavaScript variable called <code>arCountry</code> — a JSON array with all the regulation data for that ingredient, across all countries. No AJAX calls needed. One page request = all countries.</p> <p>But there's a catch within the catch: some ingredients have <strong>both</strong> restricted and prohibited data, stored in an if/else branch in the JavaScript. A naive regex extraction misses half the data. I had to write a bracket-depth counter to properly extract both arrays.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">extract_json_array</span><span class="p">(</span><span class="n">text</span><span class="p">,</span> <span class="n">start_pos</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Bracket counting instead of regex — handles nested brackets in JSON strings</span><span class="sh">"""</span> <span class="n">bracket_start</span> <span class="o">=</span> <span class="n">text</span><span class="p">.</span><span class="nf">index</span><span class="p">(</span><span class="sh">'</span><span class="s">[</span><span class="sh">'</span><span class="p">,</span> <span class="n">start_pos</span><span class="p">)</span> <span class="n">depth</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">bracket_start</span><span class="p">,</span> <span class="nf">len</span><span class="p">(</span><span class="n">text</span><span class="p">)):</span> <span class="k">if</span> <span class="n">text</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">[</span><span class="sh">'</span><span class="p">:</span> <span class="n">depth</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">elif</span> <span class="n">text</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="o">==</span> <span class="sh">'</span><span class="s">]</span><span class="sh">'</span><span class="p">:</span> <span class="n">depth</span> <span class="o">-=</span> <span class="mi">1</span> <span class="k">if</span> <span class="n">depth</span> <span class="o">==</span> <span class="mi">0</span><span class="p">:</span> <span class="k">return</span> <span class="n">text</span><span class="p">[</span><span class="n">bracket_start</span><span class="p">:</span><span class="n">i</span> <span class="o">+</span> <span class="mi">1</span><span class="p">]</span> <span class="k">return</span> <span class="bp">None</span> </code></pre> </div> <p>Small bug, big difference: one ingredient went from 0 regulation records to 5 after fixing this.</p> <h2> Verifying the Data </h2> <p>Here's the thing about scraping government data from one country about <em>other</em> countries: how do you know it's accurate?</p> <p>I cross-checked our EU data against the <strong>CosIng database</strong> — the EU's official cosmetic ingredient database. CosIng publishes their Annex II (prohibited) and Annex III (restricted) lists as downloadable CSVs.</p> <h3> Verification results: </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Result</th> </tr> </thead> <tbody> <tr> <td>Total EU records from MFDS</td> <td>5,248</td> </tr> <tr> <td>Matched against CosIng (by CAS number + name)</td> <td>4,693 (89.4%)</td> </tr> <tr> <td>Regulation type accuracy</td> <td>99.2%</td> </tr> <tr> <td>Type mismatches</td> <td>38</td> </tr> </tbody> </table></div> <p>The 38 mismatches weren't errors — they were edge cases where an ingredient is prohibited <em>when used as hair dye</em> but restricted for other uses. Different classification logic, same underlying data.</p> <p>Good enough to ship.</p> <h2> The New API (v3.0.0) </h2> <h3> New endpoint: <code>/v1/ingredient/{code}/regulations</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://k-beauty-cosmetic-ingredients.p.rapidapi.com/v1/ingredient/9/regulations</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">country</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">EU</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">X-RapidAPI-Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">YOUR_API_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-RapidAPI-Host</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">k-beauty-cosmetic-ingredients.p.rapidapi.com</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> </code></pre> </div> <p>Response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"ingredient"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"code"</span><span class="p">:</span><span class="w"> </span><span class="mi">9</span><span class="p">,</span><span class="w"> </span><span class="nl">"kr_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"리날룰"</span><span class="p">,</span><span class="w"> </span><span class="nl">"inci_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Linalool"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"available_countries"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"한국"</span><span class="p">,</span><span class="w"> </span><span class="s2">"EU"</span><span class="p">],</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"country"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EU"</span><span class="p">,</span><span class="w"> </span><span class="nl">"regulate_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"제한"</span><span class="p">,</span><span class="w"> </span><span class="nl">"notice_ingr_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1,6-Octadien-3-ol, 3,7-dimethyl-"</span><span class="p">,</span><span class="w"> </span><span class="nl">"limit_condition"</span><span class="p">:</span><span class="w"> </span><span class="kc">null</span><span class="p">,</span><span class="w"> </span><span class="nl">"source_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"limit"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>One API call. One ingredient. Regulations across multiple countries. No PDF digging, no Google Translate, no guesswork.</p> <h3> Country access by tier </h3> <p>Not everyone needs all 10 countries. So I tiered it:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tier</th> <th>Price</th> <th>Countries</th> <th>Monthly Requests</th> </tr> </thead> <tbody> <tr> <td>BASIC</td> <td>Free</td> <td>Ingredients only (no regulations)</td> <td>100</td> </tr> <tr> <td>PRO</td> <td>$29</td> <td>South Korea, EU</td> <td>2,000</td> </tr> <tr> <td>ULTRA</td> <td>$79</td> <td>+ China, USA, Japan, ASEAN</td> <td>5,000</td> </tr> <tr> <td>MEGA</td> <td>$199</td> <td>All 10 countries</td> <td>15,000</td> </tr> </tbody> </table></div> <h2> Interesting Findings From the Data </h2> <p>After collecting all 30,960 regulation records, some patterns jumped out:</p> <h3> 1. The EU bans the most ingredients </h3> <p>EU leads with 5,301 regulation records. They're the strictest regulatory body for cosmetics — many other countries reference EU decisions when updating their own lists.</p> <h3> 2. "Prohibited" doesn't always mean "dangerous" </h3> <p>Some ingredients are prohibited in cosmetics simply because they're classified as pharmaceuticals. Not because they're toxic — because they're too <em>effective</em> and fall under drug regulation instead.</p> <h3> 3. The same ingredient, different rules everywhere </h3> <p>Take silver compounds: restricted in Canada (allowed in mouthwash up to 0.04%), but prohibited in the EU when in nano form. A global cosmetic brand needs to track these differences per-market.</p> <h3> 4. Most MFDS regulated substances aren't in the KCIA ingredient dictionary </h3> <p>Only 1,269 out of 7,257 MFDS regulated substances matched KCIA ingredients by CAS number. The rest are chemical substances that are <em>banned from</em> cosmetics — they were never cosmetic ingredients to begin with.</p> <h2> Technical Decisions </h2> <h3> Why not add all MFDS substances to the main ingredients table? </h3> <p>KCIA tracks what <em>can be</em> used in cosmetics. MFDS tracks what <em>can't be</em> (or has conditions). Mixing them would pollute the ingredient search results with non-cosmetic chemicals. Instead, I kept them in a separate <code>regulations</code> table, linked by CAS number where possible.</p> <h3> Why SQLite, still? </h3> <p>Added 30,960 rows to the existing 21,796-ingredient database. SQLite handles it fine — the regulations table has indexes on <code>ingredient_code</code>, <code>country</code>, and <code>regulate_type</code>. Query time is still under 50ms.</p> <h3> The rate limiting rabbit hole </h3> <p>I wanted per-tier rate limits (BASIC: 10/min, MEGA: 40/min). Turns out the Python <code>slowapi</code> library doesn't support dynamic rate limits based on request context. The decorator function gets called without access to the request object.</p> <p>Solution: two-layer approach. <code>slowapi</code> handles the global ceiling (40/min), and a custom in-memory counter in the middleware enforces per-tier limits after the tier is detected from the subscription header.</p> <h2> What's Next </h2> <ul> <li> <strong>Automated weekly updates</strong> — KCIA change detection is already built, MFDS full re-scrape takes ~10 hours</li> <li> <strong>API name/description SEO optimization</strong> on RapidAPI</li> <li> <strong>More search filters</strong> for the regulations endpoint</li> </ul> <h2> Try It </h2> <p>The API is live on RapidAPI with a free tier.</p> <p>🔗 <a href="https://rapidapi.com/han8212/api/k-beauty-cosmetic-ingredients" rel="noopener noreferrer">K-Beauty Cosmetic Ingredients API</a></p> <p>📂 <a href="https://github.com/han-tagg/Korean-cosmetic-ingredients-api" rel="noopener noreferrer">GitHub - Example Code</a></p> <p>If you're building cosmetic tech, regulatory tools, or just curious about what's actually in your skincare products across different countries — give it a shot.</p> <p>Questions? Drop a comment below.</p> api webdev data python 15 Security Practices I Applied to My FastAPI Side Project Tagg Fri, 03 Apr 2026 11:33:16 +0000 https://forem.com/tagg_dev/15-security-practices-i-applied-to-my-fastapi-side-project-301d https://forem.com/tagg_dev/15-security-practices-i-applied-to-my-fastapi-side-project-301d <blockquote> <p>⚠️ <strong>Disclaimer</strong> <br> These are practical measures I applied to my side project. <br> For enterprise-grade security, consult professionals.</p> </blockquote> <h2> Why This Post? </h2> <p>I recently launched a <a href="https://rapidapi.com/han8212/api/k-beauty-cosmetic-ingredients" rel="noopener noreferrer">K-Beauty Cosmetic Ingredients API</a> on RapidAPI. Before going live, I spent significant time hardening security.</p> <p>This post shares <strong>15 practical security measures</strong> I implemented, with:</p> <ul> <li>✅ Real code examples</li> <li>✅ OWASP Top 10 mapping</li> <li>✅ Lessons learned</li> </ul> <p>Whether you're deploying on RapidAPI, AWS, or anywhere else — these patterns apply.</p> <h2> Table of Contents </h2> <ol> <li>Authentication &amp; Access Control</li> <li>Server Hardening</li> <li>Database Security</li> <li>Monitoring &amp; Alerting</li> <li>Resilience &amp; Error Handling</li> <li>OWASP Top 10 Mapping</li> <li>Lessons Learned</li> </ol> <h2> 1. Authentication &amp; Access Control </h2> <h3> 1.1 RapidAPI Proxy Secret Validation </h3> <p>RapidAPI acts as a proxy. But what stops someone from calling your server directly?</p> <p><strong>Proxy Secret</strong> — a shared secret that only RapidAPI knows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">fastapi</span> <span class="kn">import</span> <span class="n">Request</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="n">RAPIDAPI_PROXY_SECRET</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">RAPIDAPI_PROXY_SECRET</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">verify_rapidapi_proxy</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="c1"># Skip for health checks </span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span> <span class="o">==</span> <span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="c1"># Verify secret </span> <span class="n">proxy_secret</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-RapidAPI-Proxy-Secret</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">proxy_secret</span> <span class="o">!=</span> <span class="n">RAPIDAPI_PROXY_SECRET</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Forbidden</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> </code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A01: Broken Access Control</strong> — Direct access blocked.</p> </blockquote> <h3> 1.2 Tier-Based Access Control </h3> <p>Different subscription tiers get different features:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">extract_tier</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="n">tier_header</span> <span class="o">=</span> <span class="n">request</span><span class="p">.</span><span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">X-RapidAPI-Subscription</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">BASIC</span><span class="sh">"</span><span class="p">)</span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">tier</span> <span class="o">=</span> <span class="n">tier_header</span><span class="p">.</span><span class="nf">upper</span><span class="p">()</span> <span class="k">return</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="c1"># In endpoint: </span><span class="k">def</span> <span class="nf">search_partial</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">q</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">if</span> <span class="n">request</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">tier</span> <span class="o">==</span> <span class="sh">"</span><span class="s">BASIC</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">HTTPException</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">403</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="sh">"</span><span class="s">Partial search requires PRO or ULTRA tier</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># ... continue </span></code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tier</th> <th>Features</th> </tr> </thead> <tbody> <tr> <td>BASIC</td> <td>Exact search only</td> </tr> <tr> <td>PRO</td> <td>+ Partial search, more fields</td> </tr> <tr> <td>ULTRA</td> <td>+ All fields, highest limits</td> </tr> </tbody> </table></div> <h3> 1.3 Rate Limiting with SlowAPI </h3> <p>Prevent abuse and ensure fair usage:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">slowapi</span> <span class="kn">import</span> <span class="n">Limiter</span> <span class="kn">from</span> <span class="n">slowapi.util</span> <span class="kn">import</span> <span class="n">get_remote_address</span> <span class="n">limiter</span> <span class="o">=</span> <span class="nc">Limiter</span><span class="p">(</span><span class="n">key_func</span><span class="o">=</span><span class="n">get_remote_address</span><span class="p">)</span> <span class="n">app</span><span class="p">.</span><span class="n">state</span><span class="p">.</span><span class="n">limiter</span> <span class="o">=</span> <span class="n">limiter</span> <span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/v1/ingredient/inci</span><span class="sh">"</span><span class="p">)</span> <span class="nd">@limiter.limit</span><span class="p">(</span><span class="sh">"</span><span class="s">60/minute</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">search_by_inci</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">q</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="c1"># ... </span></code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A07: Identification and Authentication Failures</strong> — Brute force prevention.</p> </blockquote> <h2> 2. Server Hardening </h2> <h3> 2.1 Docker Non-Root User </h3> <p>Never run containers as root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="c"># Create non-root user</span> <span class="k">RUN </span>groupadd <span class="nt">-r</span> apigroup <span class="o">&amp;&amp;</span> useradd <span class="nt">-r</span> <span class="nt">-g</span> apigroup apiuser <span class="c"># Set ownership</span> <span class="k">COPY</span><span class="s"> --chown=apiuser:apigroup . /app</span> <span class="c"># Switch to non-root user</span> <span class="k">USER</span><span class="s"> apiuser</span> <span class="k">CMD</span><span class="s"> ["gunicorn", "main:app", "-w", "2", "-k", "uvicorn.workers.UvicornWorker"]</span> </code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A04: Insecure Design</strong> — Principle of least privilege.</p> </blockquote> <h3> 2.2 Sensitive File Permissions </h3> <p><code>.env</code> files should only be readable by owner:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod </span>600 config/.env </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nt">-rw-------</span> 1 ubuntu ubuntu .env <span class="c"># Only owner can read/write</span> </code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A05: Security Misconfiguration</strong> — Sensitive data protected.</p> </blockquote> <h3> 2.3 Environment Separation </h3> <p>Different configs for different environments:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">ENV</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">ENV</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">dev</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">ENV</span> <span class="o">==</span> <span class="sh">"</span><span class="s">prod</span><span class="sh">"</span><span class="p">:</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">LOG_LEVEL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">WARNING</span><span class="sh">"</span> <span class="k">else</span><span class="p">:</span> <span class="n">DEBUG</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">LOG_LEVEL</span> <span class="o">=</span> <span class="sh">"</span><span class="s">DEBUG</span><span class="sh">"</span> </code></pre> </div> <h3> 2.4 HSTS Header </h3> <p>Force HTTPS connections:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.middleware</span><span class="p">(</span><span class="sh">"</span><span class="s">http</span><span class="sh">"</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">add_security_headers</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">call_next</span><span class="p">):</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">call_next</span><span class="p">(</span><span class="n">request</span><span class="p">)</span> <span class="n">response</span><span class="p">.</span><span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Strict-Transport-Security</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="s">max-age=31536000; includeSubDomains</span><span class="sh">"</span> <span class="k">return</span> <span class="n">response</span> </code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A02: Cryptographic Failures</strong> — Encrypted transport enforced.</p> </blockquote> <h2> 3. Database Security </h2> <h3> 3.1 OS-Level Read-Only Mode </h3> <p>API only reads data. Why allow writes?</p> <p>Instead of relying on SQLite's <code>PRAGMA query_only</code>, I used <strong>OS-level read-only mode</strong> via URI parameter — a more robust approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_db</span><span class="p">():</span> <span class="c1"># file: URI with ?mode=ro enforces read-only at OS level </span> <span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">file:</span><span class="si">{</span><span class="n">DB_PATH</span><span class="si">}</span><span class="s">?mode=ro</span><span class="sh">"</span><span class="p">,</span> <span class="n">uri</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mf">5.0</span> <span class="p">)</span> <span class="k">return</span> <span class="n">conn</span> </code></pre> </div> <p>This is stronger than <code>PRAGMA query_only</code> because:</p> <ul> <li> <strong>OS-level enforcement</strong> — even if SQLite has a bug, the OS blocks writes</li> <li> <strong>Cannot be bypassed</strong> — no way to disable via SQL commands</li> </ul> <blockquote> <p>🔐 <strong>OWASP A08: Software and Data Integrity Failures</strong> — No unauthorized modifications.</p> </blockquote> <h3> 3.2 Parameterized Queries </h3> <p>Never concatenate user input into SQL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ BAD - SQL Injection vulnerable </span><span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">SELECT * FROM ingredients WHERE name = </span><span class="sh">'</span><span class="si">{</span><span class="n">user_input</span><span class="si">}</span><span class="sh">'"</span><span class="p">)</span> <span class="c1"># ✅ GOOD - Parameterized </span><span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span><span class="sh">"</span><span class="s">SELECT * FROM ingredients WHERE name = ?</span><span class="sh">"</span><span class="p">,</span> <span class="p">(</span><span class="n">user_input</span><span class="p">,))</span> </code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A03: Injection</strong> — SQL injection prevented.</p> </blockquote> <h3> 3.3 LIKE Wildcard Escaping </h3> <p>User input in LIKE queries can abuse wildcards (<code>%</code>, <code>_</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">escape_like_wildcards</span><span class="p">(</span><span class="n">value</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Escape LIKE wildcards to prevent injection.</span><span class="sh">"""</span> <span class="k">return</span> <span class="n">value</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="se">\\</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="se">\\\\</span><span class="sh">"</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">%</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="se">\\</span><span class="s">%</span><span class="sh">"</span><span class="p">).</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">_</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="se">\\</span><span class="s">_</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Usage </span><span class="n">escaped_q</span> <span class="o">=</span> <span class="nf">escape_like_wildcards</span><span class="p">(</span><span class="n">user_input</span><span class="p">)</span> <span class="n">cursor</span><span class="p">.</span><span class="nf">execute</span><span class="p">(</span> <span class="sh">"</span><span class="s">SELECT * FROM ingredients WHERE inci_name LIKE ? ESCAPE </span><span class="sh">'</span><span class="se">\\\\</span><span class="sh">'"</span><span class="p">,</span> <span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">escaped_q</span><span class="si">}</span><span class="s">%</span><span class="sh">"</span><span class="p">,)</span> <span class="p">)</span> </code></pre> </div> <h3> 3.4 Query Timeout </h3> <p>Prevent long-running queries from blocking:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">conn</span> <span class="o">=</span> <span class="n">sqlite3</span><span class="p">.</span><span class="nf">connect</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">file:</span><span class="si">{</span><span class="n">DB_PATH</span><span class="si">}</span><span class="s">?mode=ro</span><span class="sh">"</span><span class="p">,</span> <span class="n">uri</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mf">5.0</span><span class="p">)</span> </code></pre> </div> <h2> 4. Monitoring &amp; Alerting </h2> <h3> 4.1 Telegram Alerts on Server Start </h3> <p>Know immediately when your server restarts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">alert_server_started</span><span class="p">(</span><span class="n">version</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">env</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">db_count</span><span class="p">:</span> <span class="nb">int</span><span class="p">):</span> <span class="n">message</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s"> 🚀 &lt;b&gt;API Server Started&lt;/b&gt; ├ Version: </span><span class="si">{</span><span class="n">version</span><span class="si">}</span><span class="s"> ├ Environment: </span><span class="si">{</span><span class="n">env</span><span class="si">}</span><span class="s"> ├ DB Records: </span><span class="si">{</span><span class="n">db_count</span><span class="si">:</span><span class="p">,</span><span class="si">}</span><span class="s"> └ Time: </span><span class="si">{</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="n">strftime</span><span class="p">(</span><span class="sh">'</span><span class="s">%Y-%m-%d %H</span><span class="si">:</span><span class="o">%</span><span class="n">M</span><span class="si">:</span><span class="o">%</span><span class="n">S</span><span class="sh">'</span><span class="s">)</span><span class="si">}</span><span class="s"> </span><span class="sh">"""</span> <span class="nf">send_telegram_message</span><span class="p">(</span><span class="n">message</span><span class="p">)</span> </code></pre> </div> <h3> 4.2 Real-Time Error Alerts </h3> <p>500 errors go straight to Telegram:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.exception_handler</span><span class="p">(</span><span class="nb">Exception</span><span class="p">)</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">global_exception_handler</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">,</span> <span class="n">exc</span><span class="p">:</span> <span class="nb">Exception</span><span class="p">):</span> <span class="nf">alert_error</span><span class="p">(</span> <span class="n">endpoint</span><span class="o">=</span><span class="n">request</span><span class="p">.</span><span class="n">url</span><span class="p">.</span><span class="n">path</span><span class="p">,</span> <span class="n">error_type</span><span class="o">=</span><span class="nf">type</span><span class="p">(</span><span class="n">exc</span><span class="p">).</span><span class="n">__name__</span><span class="p">,</span> <span class="n">error_message</span><span class="o">=</span><span class="nf">str</span><span class="p">(</span><span class="n">exc</span><span class="p">)[:</span><span class="mi">500</span><span class="p">]</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">500</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">detail</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Internal server error</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> </code></pre> </div> <blockquote> <p>🔐 <strong>OWASP A09: Security Logging and Monitoring Failures</strong> — Real-time visibility.</p> </blockquote> <h3> 4.3 Preventing Duplicate Alerts </h3> <p>Multiple Gunicorn workers = multiple startup alerts? Not anymore:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">lock_file</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">LOG_DIR</span><span class="p">,</span> <span class="sh">"</span><span class="s">.startup_alert_lock</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Clean up stale lock files (server restart case) </span> <span class="c1"># Race Condition defense: ignore if another worker deleted it first </span> <span class="k">try</span><span class="p">:</span> <span class="k">if</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">exists</span><span class="p">(</span><span class="n">lock_file</span><span class="p">):</span> <span class="n">file_age</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">-</span> <span class="n">os</span><span class="p">.</span><span class="n">path</span><span class="p">.</span><span class="nf">getmtime</span><span class="p">(</span><span class="n">lock_file</span><span class="p">)</span> <span class="k">if</span> <span class="n">file_age</span> <span class="o">&gt;</span> <span class="mi">10</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="nf">remove</span><span class="p">(</span><span class="n">lock_file</span><span class="p">)</span> <span class="k">except</span> <span class="nb">OSError</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># Another worker deleted it first — continue </span> <span class="c1"># Atomic file creation - only first worker succeeds </span> <span class="n">fd</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="n">lock_file</span><span class="p">,</span> <span class="n">os</span><span class="p">.</span><span class="n">O_CREAT</span> <span class="o">|</span> <span class="n">os</span><span class="p">.</span><span class="n">O_EXCL</span> <span class="o">|</span> <span class="n">os</span><span class="p">.</span><span class="n">O_WRONLY</span><span class="p">)</span> <span class="n">os</span><span class="p">.</span><span class="nf">close</span><span class="p">(</span><span class="n">fd</span><span class="p">)</span> <span class="nf">alert_server_started</span><span class="p">(</span><span class="n">version</span><span class="p">,</span> <span class="n">env</span><span class="p">,</span> <span class="n">count</span><span class="p">)</span> <span class="c1"># First worker sends </span><span class="k">except</span> <span class="nb">FileExistsError</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># Other workers skip </span></code></pre> </div> <p>This handles:</p> <ul> <li> <strong>TOCTOU (Time-of-check to time-of-use)</strong> — Atomic <code>O_EXCL</code> operation</li> <li> <strong>Race conditions</strong> — <code>OSError</code> catch for concurrent access</li> </ul> <h3> 4.4 Structured JSON Logging </h3> <p>Logs that are easy to parse and analyze:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">logging</span> <span class="kn">import</span> <span class="n">json</span> <span class="k">def</span> <span class="nf">log_api_request</span><span class="p">(</span><span class="n">endpoint</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">status_code</span><span class="p">,</span> <span class="n">response_time_ms</span><span class="p">):</span> <span class="n">log_entry</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">endpoint</span><span class="sh">"</span><span class="p">:</span> <span class="n">endpoint</span><span class="p">,</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="n">query</span><span class="p">,</span> <span class="sh">"</span><span class="s">status_code</span><span class="sh">"</span><span class="p">:</span> <span class="n">status_code</span><span class="p">,</span> <span class="sh">"</span><span class="s">response_time_ms</span><span class="sh">"</span><span class="p">:</span> <span class="n">response_time_ms</span> <span class="p">}</span> <span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">log_entry</span><span class="p">))</span> </code></pre> </div> <h2> 5. Resilience &amp; Error Handling </h2> <h3> 5.1 Graceful Logging Failures </h3> <p>Log failures shouldn't crash your API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">safe_log</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="n">endpoint</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">status_code</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="k">await</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">to_thread</span><span class="p">(</span> <span class="n">log_api_request</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">endpoint</span><span class="p">,</span> <span class="n">query</span><span class="p">,</span> <span class="n">status_code</span> <span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">pass</span> <span class="c1"># Log failure doesn't affect API response </span></code></pre> </div> <h3> 5.2 Telegram Retry Logic </h3> <p>Network is unreliable. Retry with backoff:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">urllib3.util.retry</span> <span class="kn">import</span> <span class="n">Retry</span> <span class="kn">from</span> <span class="n">requests.adapters</span> <span class="kn">import</span> <span class="n">HTTPAdapter</span> <span class="n">retry_strategy</span> <span class="o">=</span> <span class="nc">Retry</span><span class="p">(</span> <span class="n">total</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">backoff_factor</span><span class="o">=</span><span class="mf">0.5</span><span class="p">,</span> <span class="c1"># 0.5s, 1s, 2s </span> <span class="n">status_forcelist</span><span class="o">=</span><span class="p">[</span><span class="mi">429</span><span class="p">,</span> <span class="mi">500</span><span class="p">,</span> <span class="mi">502</span><span class="p">,</span> <span class="mi">503</span><span class="p">,</span> <span class="mi">504</span><span class="p">],</span> <span class="n">respect_retry_after_header</span><span class="o">=</span><span class="bp">True</span> <span class="c1"># Honor 429 Retry-After </span><span class="p">)</span> <span class="n">session</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nc">Session</span><span class="p">()</span> <span class="n">session</span><span class="p">.</span><span class="nf">mount</span><span class="p">(</span><span class="sh">"</span><span class="s">https://</span><span class="sh">"</span><span class="p">,</span> <span class="nc">HTTPAdapter</span><span class="p">(</span><span class="n">max_retries</span><span class="o">=</span><span class="n">retry_strategy</span><span class="p">))</span> </code></pre> </div> <h3> 5.3 Input Sanitization for Alerts </h3> <p>User input in Telegram messages? Escape it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">html</span> <span class="k">def</span> <span class="nf">alert_error</span><span class="p">(</span><span class="n">endpoint</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">error_message</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">safe_message</span> <span class="o">=</span> <span class="n">html</span><span class="p">.</span><span class="nf">escape</span><span class="p">(</span><span class="n">error_message</span><span class="p">)[:</span><span class="mi">4000</span><span class="p">]</span> <span class="c1"># Telegram limit </span> <span class="nf">send_telegram_message</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Error at </span><span class="si">{</span><span class="n">endpoint</span><span class="si">}</span><span class="s">: </span><span class="si">{</span><span class="n">safe_message</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 5.4 Docker Auto-Restart </h3> <p>Container crashes? Auto-recover:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker run <span class="nt">-d</span> <span class="se">\</span> <span class="nt">--restart</span><span class="o">=</span>always <span class="se">\</span> <span class="nt">--name</span> myapi <span class="se">\</span> myapi:latest </code></pre> </div> <h3> 5.5 Health Check Endpoint </h3> <p>For load balancers and monitoring:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.get</span><span class="p">(</span><span class="sh">"</span><span class="s">/health</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">health_check</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">healthy</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2.3.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">utcnow</span><span class="p">().</span><span class="nf">isoformat</span><span class="p">()</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight docker"><code><span class="k">HEALTHCHECK</span><span class="s"> --interval=30s --timeout=5s --start-period=10s --retries=3 \</span> CMD curl -f http://localhost:8000/health || exit 1 </code></pre> </div> <h2> 6. OWASP Top 10 Mapping </h2> <p>Here's how our security measures map to OWASP Top 10 (2021):</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>OWASP</th> <th>Risk</th> <th>Our Mitigation</th> </tr> </thead> <tbody> <tr> <td>A01</td> <td>Broken Access Control</td> <td>✅ Proxy Secret, Tier-based access</td> </tr> <tr> <td>A02</td> <td>Cryptographic Failures</td> <td>✅ HSTS header, HTTPS enforced</td> </tr> <tr> <td>A03</td> <td>Injection</td> <td>✅ Parameterized SQL, LIKE escaping</td> </tr> <tr> <td>A04</td> <td>Insecure Design</td> <td>✅ Non-root Docker, read-only DB</td> </tr> <tr> <td>A05</td> <td>Security Misconfiguration</td> <td>✅ .env permissions, env separation</td> </tr> <tr> <td>A06</td> <td>Vulnerable Components</td> <td>⚠️ Regular dependency updates needed</td> </tr> <tr> <td>A07</td> <td>Auth Failures</td> <td>✅ Rate limiting, secret validation</td> </tr> <tr> <td>A08</td> <td>Data Integrity</td> <td>✅ OS-level read-only database</td> </tr> <tr> <td>A09</td> <td>Logging Failures</td> <td>✅ JSON logging, Telegram alerts</td> </tr> <tr> <td>A10</td> <td>SSRF</td> <td>➖ N/A (no external requests)</td> </tr> </tbody> </table></div> <p><strong>Coverage: 9/10 categories addressed</strong> ✅</p> <h2> 7. Lessons Learned </h2> <h3> 1. Security is Layers </h3> <p>No single measure is enough. Defense in depth:</p> <ul> <li>Network → Proxy Secret</li> <li>Application → Rate limiting, input validation</li> <li>Data → Read-only, parameterized queries</li> <li>Infrastructure → Non-root, auto-restart</li> <li>Monitoring → Real-time alerts</li> </ul> <h3> 2. Fail Gracefully </h3> <p>Security logging shouldn't break your API. Wrap everything in try-except.</p> <h3> 3. Assume Breach </h3> <p>Design as if attackers will get in:</p> <ul> <li>Read-only database (can't modify)</li> <li>Non-root container (limited damage)</li> <li>Monitoring (you'll know quickly)</li> </ul> <h3> 4. Automate Everything </h3> <ul> <li>Auto-restart on crash</li> <li>Auto-retry on network failure</li> <li>Auto-alert on errors</li> </ul> <h3> 5. Test Your Security </h3> <p>Before launch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test direct access (should fail)</span> curl http://your-server:8000/v1/stats <span class="c"># Expected: 403 Forbidden</span> <span class="c"># Test with valid secret (should work)</span> curl <span class="nt">-H</span> <span class="s2">"X-RapidAPI-Proxy-Secret: your-secret"</span> http://your-server:8000/v1/stats <span class="c"># Expected: 200 OK</span> </code></pre> </div> <h2> Wrapping Up </h2> <p>Security isn't a feature — it's a foundation. These 15 measures took extra time upfront, but give me confidence that the API can handle production traffic safely.</p> <p><strong>Resources:</strong></p> <ul> <li><a href="https://owasp.org/Top10/" rel="noopener noreferrer">OWASP Top 10 (2021)</a></li> <li><a href="https://fastapi.tiangolo.com/tutorial/security/" rel="noopener noreferrer">FastAPI Security Docs</a></li> <li><a href="https://docs.docker.com/develop/security-best-practices/" rel="noopener noreferrer">Docker Security Best Practices</a></li> </ul> <h2> Try the API </h2> <p>If you're curious about the API itself:</p> <p>🔗 <a href="https://rapidapi.com/han8212/api/k-beauty-cosmetic-ingredients" rel="noopener noreferrer">K-Beauty Cosmetic Ingredients API</a></p> <p>📂 <a href="https://github.com/han-tagg/Korean-cosmetic-ingredients-api" rel="noopener noreferrer">GitHub - Example Code</a></p> <p><em>Questions about any of these security measures? Drop a comment below!</em></p> security api python webdev I Built an API for 21,000+ Korean Cosmetic Ingredients — Here's Why Tagg Wed, 01 Apr 2026 13:32:33 +0000 https://forem.com/tagg_dev/i-built-an-api-for-21000-korean-cosmetic-ingredients-heres-why-5bao https://forem.com/tagg_dev/i-built-an-api-for-21000-korean-cosmetic-ingredients-heres-why-5bao <h2> The Problem Nobody Talks About </h2> <p>If you've ever tried to check whether a cosmetic ingredient is legal in South Korea, you know the pain:</p> <ul> <li>🇰🇷 Government websites only in Korean</li> <li>📄 Data buried in PDFs, not databases</li> <li>🔍 No search functionality</li> <li>🚫 No official API</li> </ul> <p>For cosmetic brands trying to enter the Korean market, this means hours of manual research, expensive consultants, or just... guessing.</p> <p>I decided to fix this.</p> <h2> What I Built </h2> <p><strong>K-Beauty Cosmetic Ingredients API</strong> — A REST API with:</p> <ul> <li>✅ <strong>21,796 ingredients</strong> from official Korean sources</li> <li>✅ INCI names, CAS numbers, Korean translations</li> <li>✅ Regulatory status (Prohibited / Restricted / Not Listed)</li> <li>✅ Concentration limits and conditions</li> <li>✅ Fast JSON responses (&lt;50ms)</li> </ul> <p>Data comes directly from:</p> <ul> <li> <strong>MFDS</strong> (Ministry of Food and Drug Safety) — Korea's FDA</li> <li> <strong>KCIA</strong> (Korea Cosmetic Industry Association)</li> </ul> <h2> Quick Example </h2> <p>Want to check if Retinol is restricted in Korea?<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://k-beauty-cosmetic-ingredients.p.rapidapi.com/v1/ingredient/inci</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">q</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">retinol</span><span class="sh">"</span><span class="p">},</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">X-RapidAPI-Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">YOUR_API_KEY</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">X-RapidAPI-Host</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">k-beauty-cosmetic-ingredients.p.rapidapi.com</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> </code></pre> </div> <p>Response:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"success"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"count"</span><span class="p">:</span><span class="w"> </span><span class="mi">3</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"inci_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RETINOL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"kr_name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"레티놀"</span><span class="p">,</span><span class="w"> </span><span class="nl">"cas_numbers"</span><span class="p">:</span><span class="w"> </span><span class="s2">"68-26-8"</span><span class="p">,</span><span class="w"> </span><span class="nl">"regulation_status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Restricted"</span><span class="p">,</span><span class="w"> </span><span class="nl">"purposes"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Skin conditioning"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Now you know: <strong>Retinol is restricted</strong> (allowed with conditions) in Korean cosmetics. No PDF digging required.</p> <h2> Who Is This For? </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>User</th> <th>Use Case</th> </tr> </thead> <tbody> <tr> <td>🧪 <strong>Cosmetic Formulators</strong> </td> <td>Check ingredients before formulating</td> </tr> <tr> <td>📋 <strong>Regulatory Consultants</strong> </td> <td>Speed up compliance audits</td> </tr> <tr> <td>🏭 <strong>Manufacturers</strong> </td> <td>Validate formulations for Korea export</td> </tr> <tr> <td>📱 <strong>App Developers</strong> </td> <td>Build ingredient scanner apps</td> </tr> <tr> <td>🛒 <strong>E-commerce</strong> </td> <td>Show safety info on product pages</td> </tr> </tbody> </table></div> <h2> API Endpoints </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Endpoint</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>/v1/ingredient/inci?q=</code></td> <td>Search by INCI name</td> </tr> <tr> <td><code>/v1/ingredient/cas?q=</code></td> <td>Search by CAS number</td> </tr> <tr> <td><code>/v1/ingredient/kr?q=</code></td> <td>Search by Korean name</td> </tr> <tr> <td><code>/v1/ingredient/search?q=</code></td> <td>Partial text search</td> </tr> <tr> <td><code>/v1/ingredient/status?s=</code></td> <td>Filter by regulatory status</td> </tr> <tr> <td><code>/v1/stats</code></td> <td>Database statistics</td> </tr> </tbody> </table></div> <h2> Tech Stack </h2> <p>For those curious about how it's built:</p> <ul> <li> <strong>Backend:</strong> Python, FastAPI</li> <li> <strong>Database:</strong> SQLite (read-only mode)</li> <li> <strong>Server:</strong> Gunicorn + Uvicorn workers</li> <li> <strong>Infrastructure:</strong> AWS EC2, Docker</li> <li> <strong>Monitoring:</strong> Telegram alerts</li> <li> <strong>Distribution:</strong> RapidAPI</li> <li> <strong>Security:</strong> OWASP Top 10 hardened (Rate Limiting, Input Validation, LIKE Wildcard Escaping, Proxy Secret)</li> </ul> <h3> Why SQLite? </h3> <p>The data is essentially static (updated monthly). SQLite in read-only mode gives us:</p> <ul> <li>Zero configuration</li> <li>Fast reads</li> <li>No separate database server</li> <li>Easy backups</li> </ul> <p>For a read-heavy API with ~22K records, it's perfect.</p> <h2> Lessons Learned </h2> <h3> 1. Government Data is Messy </h3> <p>Scraping and normalizing data from multiple sources took 10x longer than building the API itself.</p> <h3> 2. B2B &gt; B2C for Niche APIs </h3> <p>Consumer apps want "safety scores." Businesses want <strong>regulatory compliance data</strong>. They're willing to pay for it.</p> <h3> 3. Documentation Matters </h3> <p>Good docs = fewer support questions = more time for features.</p> <h2> Try It Free </h2> <p>The API is live on RapidAPI with a free tier (100 requests/month).</p> <p>🔗 <strong><a href="https://rapidapi.com/han8212/api/k-beauty-cosmetic-ingredients" rel="noopener noreferrer">K-Beauty Cosmetic Ingredients API</a></strong></p> <p>📂 <strong><a href="https://github.com/han-tagg/Korean-cosmetic-ingredients-api" rel="noopener noreferrer">GitHub - Example Code</a></strong></p> <h2> What's Next? </h2> <ul> <li>[ ] Monthly data updates</li> <li>[ ] More search filters</li> <li>[ ] Batch lookup endpoint</li> <li>[ ] Python/JS SDK packages</li> </ul> <h2> Questions? </h2> <p>Drop a comment below or reach out on RapidAPI. Happy to help!</p> <p><em>If you're working on cosmetic tech or regulatory compliance tools, I'd love to hear about your use case.</em></p> api webdev opensource beginners