* HTTP Basic Authentifizierung.
* **OAuth2** (auch mit **JWT Tokens**). Siehe dazu das Tutorial zu [OAuth2 mit JWT](tutorial/security/oauth2-jwt.md){.internal-link target=_blank}.
* API Schlüssel in:
    * Header-Feldern.
    * Anfrageparametern.
    * Cookies, usw.

Zusätzlich alle Sicherheitsfunktionen von Starlette (inklusive **Session Cookies**).

Você poderia criar uma classe `CustomORJSONResponse`. A principal coisa a ser feita é sobrecarregar o método render da classe Response, `Response.render(content)`, que retorna o conteúdo em bytes, para retornar o conteúdo que você deseja:

{* ../../docs_src/custom_response/tutorial009c.py hl[9:14,17] *}

Agora em vez de retornar:

```json

Mas isso só permitirá certos tipos de comunicação, excluindo tudo que envolva credenciais: cookies, cabeçalhos de autorização como aqueles usados ​​com Bearer Tokens, etc.

Então, para que tudo funcione corretamente, é melhor especificar explicitamente as origens permitidas.

## Usar `CORSMiddleware`

# ========================================================================================
# Framework Default
# =================
# ----------------------------------------------------------
# Lasta Taglib
# ------------
errors.header = <ul class="has-error">
errors.footer = </ul>
errors.prefix = <li><i class="fa fa-exclamation-circle"></i>
errors.suffix = </li>
# ----------------------------------------------------------
# Javax Validator

# ========================================================================================
# Framework Default
# =================
# ----------------------------------------------------------
# Lasta Taglib
# ------------
errors.header = <ul class="has-error">
errors.footer = </ul>
errors.prefix = <li><i class="fa fa-exclamation-circle"></i>
errors.suffix = </li>
# ----------------------------------------------------------
# Javax Validator

        final int avPairsLength = avPairs != null ? avPairs.length : 0;
        final byte[] temp = new byte[28 + avPairsLength + 4];

        Encdec.enc_uint32le(0x00000101, temp, 0); // Header
        Encdec.enc_uint32le(0x00000000, temp, 4); // Reserved
        Encdec.enc_uint64le(nanos1601, temp, 8);
        System.arraycopy(clientChallenge, 0, temp, 16, 8);

 * lowercase, but all others are left as-is.
 *
 * <p>Note that this specifically does <strong>not</strong> represent the value of the MIME {@code
 * Content-Type} header and as such has no support for header-specific considerations such as line
 * folding and comments.
 *
 * <p>For media types that take a charset the predefined constants default to UTF-8 and have a

🚥 👆 📂 👩‍💻 🧰, 👆 💪 👀 ❔ 📊 📨 🕴 🔌 🤝, 🔐 🕴 📨 🥇 📨 🔓 👩‍💻 & 🤚 👈 🔐 🤝, ✋️ 🚫 ⏮️:

<img src="/img/tutorial/security/image10.png">

/// note

👀 🎚 `Authorization`, ⏮️ 💲 👈 ▶️ ⏮️ `Bearer `.

///

## 🏧 ⚙️ ⏮️ `scopes`

Oauth2️⃣ ✔️ 🔑 "↔".

👆 💪 ⚙️ 👫 🚮 🎯 ⚒ ✔ 🥙 🤝.

⤴️ 👆 💪 🤝 👉 🤝 👩‍💻 🔗 ⚖️ 🥉 🥳, 🔗 ⏮️ 👆 🛠️ ⏮️ ⚒ 🚫.

/// tip

Here we are using `Query()` because this is a **query parameter**. Later we will see others like `Path()`, `Body()`, `Header()`, and `Cookie()`, that also accept the same arguments as `Query()`.

///

FastAPI will now:

* **Validate** the data making sure that the max length is 50 characters

... und **FastAPI** verwendet dieselben Deklarationen, um:

* **Anforderungen** zu definieren: aus Anfrage-Pfadparametern, Abfrageparametern, Header-Feldern, Bodys, Abhängigkeiten, usw.
* **Daten umzuwandeln**: aus der Anfrage in den erforderlichen Typ.
* **Daten zu validieren**: aus jeder Anfrage:
    * **Automatische Fehler** generieren, die an den Client zurückgegeben werden, wenn die Daten ungültig sind.