⬆ Bump werkzeug from 3.1.5 to 3.1.6

Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.1.5 to 3.1.6.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](https://github.com/pallets/werkzeug/compare/3.1.5...3.1.6)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-version: 3.1.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/test.yml

@@ -208,4 +208,4 @@ jobs:
         uses: re-actors/alls-green@release/v1
         with:
           jobs: ${{ toJSON(needs) }}
-          allowed-skips: coverage-combine,test,benchmark
+          allowed-skips: coverage-combine,test

docs/en/docs/advanced/strict-content-type.md

@@ -1,88 +0,0 @@
-# Strict Content-Type Checking { #strict-content-type-checking }
-
-By default, **FastAPI** uses strict `Content-Type` header checking for JSON request bodies, this means that JSON requests **must** include a valid `Content-Type` header (e.g. `application/json`) in order for the body to be parsed as JSON.
-
-## CSRF Risk { #csrf-risk }
-
-This default behavior provides protection against a class of **Cross-Site Request Forgery (CSRF)** attacks in a very specific scenario.
-
-These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:
-
-* don't have a `Content-Type` header (e.g. using `fetch()` with a `Blob` body)
-* and don't send any authentication credentials.
-
-This type of attack is mainly relevant when:
-
-* the application is running locally (e.g. on `localhost`) or in an internal network
-* and the application doesn't have any authentication, it expects that any request from the same network can be trusted.
-
-## Example Attack { #example-attack }
-
-Imagine you build a way to run a local AI agent.
-
-It provides an API at
-
-```
-http://localhost:8000/v1/agents/multivac
-```
-
-There's also a frontend at
-
-```
-http://localhost:8000
-```
-
-/// tip
-
-Note that both have the same host.
-
-///
-
-Then using the frontend you can make the AI agent do things on your behalf.
-
-As it's running **locally**, and not in the open internet, you decide to **not have any authentication** set up, just trusting the access to the local network.
-
-Then one of your users could install it and run it locally.
-
-Then they could open a malicious website, e.g. something like
-
-```
-https://evilhackers.example.com
-```
-
-And that malicious website sends requests using `fetch()` with a `Blob` body to the local API at
-
-```
-http://localhost:8000/v1/agents/multivac
-```
-
-Even though the host of the malicious website and the local app is different, the browser won't trigger a CORS preflight request because:
-
-* It's running without any authentication, it doesn't have to send any credentials.
-* The browser thinks it's not sending JSON (because of the missing `Content-Type` header).
-
-Then the malicious website could make the local AI agent send angry messages to the user's ex-boss... or worse. 😅
-
-## Open Internet { #open-internet }
-
-If your app is in the open internet, you wouldn't "trust the network" and let anyone send privileged requests without authentication.
-
-Attackers could simply run a script to send requests to your API, no need for browser interaction, so you are probably already securing any privileged endpoints.
-
-In that case **this attack / risk doesn't apply to you**.
-
-This risk and attack is mainly relevant when the app runs on the **local network** and that is the **only assumed protection**.
-
-## Allowing Requests Without Content-Type { #allowing-requests-without-content-type }
-
-If you need to support clients that don't send a `Content-Type` header, you can disable strict checking by setting `strict_content_type=False`:
-
-{* ../../docs_src/strict_content_type/tutorial001_py310.py hl[4] *}
-
-With this setting, requests without a `Content-Type` header will have their body parsed as JSON, which is the same behavior as older versions of FastAPI.
-
-/// info
-
-This behavior and configuration was added in FastAPI 0.132.0.
-
-///

docs/en/docs/editor-support.md

@@ -1,23 +0,0 @@
-# Editor Support { #editor-support }
-
-The official [**FastAPI extension**](https://marketplace.visualstudio.com/items?itemName=FastAPILabs.fastapi-vscode) enhances your FastAPI development workflow with route discovery, navigation, as well as FastAPI Cloud deployment, and live log streaming.
-
-For more details about the extension, refer to the README on the [GitHub repository](https://github.com/fastapi/fastapi-vscode).
-
-## Setup and Installation { #setup-and-installation }
-
-The FastAPI extension is available for both [VS Code](https://code.visualstudio.com/) and [Cursor](https://www.cursor.com/). It can be installed directly from the Extensions panel in each editor by searching for "FastAPI" and selecting the extension published by FastAPI Labs. The extension also works in browser-based editors such as [vscode.dev](https://vscode.dev) and [github.dev](https://github.dev).
-
-### Application Discovery { #application-discovery }
-
-By default, the extension will automatically discover FastAPI applications in your workspace by scanning for files that instantiate `FastAPI()`. If auto-detection doesn't work for your project structure, you can specify an entrypoint via `[tool.fastapi]` in `pyproject.toml` or the `fastapi.entryPoint` VS Code setting using module notation (e.g. `myapp.main:app`).
-
-## Features { #features }
-
-- **Path Operation Explorer** — A sidebar tree view of all routes in your application; click to jump to any route or router definition.
-- **Route Search** — Search routes by path, method, or name with `Ctrl+Shift+E` (`Cmd+Shift+E` on Mac).
-- **CodeLens Navigation** — Clickable links above test client calls (e.g. `client.get('/items')`) that jump to the matching route for quick navigation between tests and implementation.
-- **Deploy to FastAPI Cloud** — One-click deployment of your app to FastAPI Cloud.
-- **Stream Application Logs** — Real-time log streaming from your FastAPI Cloud-deployed application with level filtering and text search.
-
-If you'd like to familiarize yourself with the extension's features, you can checkout the extension walkthrough by opening the Command Palette (`Ctrl+Shift+P` or `Cmd+Shift+P` on Mac) and selecting "Welcome: Open walkthrough..." and then choosing the "Get started with FastAPI" walkthrough.

docs/en/docs/release-notes.md

@@ -7,43 +7,6 @@ hide:
 
 ## Latest Changes
 
-## 0.133.1
-
-### Features
-
-* 🔧 Add FastAPI Agents Skill. PR [#14982](https://github.com/fastapi/fastapi/pull/14982) by [@tiangolo](https://github.com/tiangolo).
-    * Read more about it in [Library Agent Skills](https://tiangolo.com/ideas/library-agent-skills/).
-
-### Internal
-
-* ✅ Fix all tests are skipped on Windows. PR [#14994](https://github.com/fastapi/fastapi/pull/14994) by [@YuriiMotov](https://github.com/YuriiMotov).
-
-## 0.133.0
-
-### Upgrades
-
-* ⬆️ Add support for Starlette 1.0.0+. PR [#14987](https://github.com/fastapi/fastapi/pull/14987) by [@tiangolo](https://github.com/tiangolo).
-
-## 0.132.1
-
-### Refactors
-
-* ♻️ Refactor logic to handle OpenAPI and Swagger UI escaping data. PR [#14986](https://github.com/fastapi/fastapi/pull/14986) by [@tiangolo](https://github.com/tiangolo).
-
-### Internal
-
-* 👥 Update FastAPI People - Experts. PR [#14972](https://github.com/fastapi/fastapi/pull/14972) by [@tiangolo](https://github.com/tiangolo).
-* 👷 Allow skipping `benchmark` job in `test` workflow. PR [#14974](https://github.com/fastapi/fastapi/pull/14974) by [@YuriiMotov](https://github.com/YuriiMotov).
-
-## 0.132.0
-
-### Breaking Changes
-
-* 🔒️ Add `strict_content_type` checking for JSON requests. PR [#14978](https://github.com/fastapi/fastapi/pull/14978) by [@tiangolo](https://github.com/tiangolo).
-    * Now FastAPI checks, by default, that JSON requests have a `Content-Type` header with a valid JSON value, like `application/json`, and rejects requests that don't.
-    * If the clients for your app don't send a valid `Content-Type` header you can disable this with `strict_content_type=False`.
-    * Check the new docs: [Strict Content-Type Checking](https://fastapi.tiangolo.com/advanced/strict-content-type/).
-
 ### Internal
 
 * ⬆ Bump flask from 3.1.2 to 3.1.3. PR [#14949](https://github.com/fastapi/fastapi/pull/14949) by [@dependabot[bot]](https://github.com/apps/dependabot).

docs/en/docs/tutorial/index.md

@@ -84,13 +84,6 @@ If you want to install the standard dependencies but without the `fastapi-cloud-
 
 ///
 
-/// tip
-
-FastAPI has an <a href="https://marketplace.visualstudio.com/items?itemName=FastAPILabs.fastapi-vscode" class="external-link" target="_blank">official extension for VS Code</a>, which provides a lot of features, including a path operation explorer, path operation search, CodeLens navigation in tests, and FastAPI Cloud deployment and logs — all from your editor.
-
-///
-
-
 ## Advanced User Guide { #advanced-user-guide }
 
 There is also an **Advanced User Guide** that you can read later after this **Tutorial - User guide**.

docs/en/mkdocs.yml

@@ -193,9 +193,7 @@ nav:
     - advanced/generate-clients.md
     - advanced/advanced-python-types.md
     - advanced/json-base64-bytes.md
-    - advanced/strict-content-type.md
   - fastapi-cli.md
-  - editor-support.md
   - Deployment:
     - deployment/index.md
     - deployment/versions.md

docs_src/strict_content_type/tutorial001_py310.py

@@ -1,14 +0,0 @@
-from fastapi import FastAPI
-from pydantic import BaseModel
-
-app = FastAPI(strict_content_type=False)
-
-
-class Item(BaseModel):
-    name: str
-    price: float
-
-
-@app.post("/items/")
-async def create_item(item: Item):
-    return item

fastapi/.agents/skills/fastapi/SKILL.md

@@ -1,614 +0,0 @@
----
-name: fastapi
-description: FastAPI best practices and conventions. Use when working with FastAPI APIs and Pydantic models for them. Keeps FastAPI code clean and up to date with the latest features and patterns, updated with new versions. Write new code or refactor and update old code.
----
-
-# FastAPI
-
-Official FastAPI skill to write code with best practices, keeping up to date with new versions and features.
-
-## Use the `fastapi` CLI
-
-Run the development server on localhost with reload:
-
-```bash
-fastapi dev
-```
-
-
-Run the production server:
-
-```bash
-fastapi run
-```
-
-### Add an entrypoint in `pyproject.toml`
-
-FastAPI CLI will read the entrypoint in `pyproject.toml` to know where the FastAPI app is declared.
-
-```toml
-[tool.fastapi]
-entrypoint = "my_app.main:app"
-```
-
-### Use `fastapi` with a path
-
-When adding the entrypoint to `pyproject.toml` is not possible, or the user explicitly asks not to, or it's running an independent small app, you can pass the app file path to the `fastapi` command:
-
-```bash
-fastapi dev my_app/main.py
-```
-
-Prefer to set the entrypoint in `pyproject.toml` when possible.
-
-## Use `Annotated`
-
-Always prefer the `Annotated` style for parameter and dependency declarations.
-
-It keeps the function signatures working in other contexts, respects the types, allows reusability.
-
-### In Parameter Declarations
-
-Use `Annotated` for parameter declarations, including `Path`, `Query`, `Header`, etc.:
-
-```python
-from typing import Annotated
-
-from fastapi import FastAPI, Path, Query
-
-app = FastAPI()
-
-
-@app.get("/items/{item_id}")
-async def read_item(
-    item_id: Annotated[int, Path(ge=1, description="The item ID")],
-    q: Annotated[str | None, Query(max_length=50)] = None,
-):
-    return {"message": "Hello World"}
-```
-
-instead of:
-
-```python
-# DO NOT DO THIS
-@app.get("/items/{item_id}")
-async def read_item(
-    item_id: int = Path(ge=1, description="The item ID"),
-    q: str | None = Query(default=None, max_length=50),
-):
-    return {"message": "Hello World"}
-```
-
-### For Dependencies
-
-Use `Annotated` for dependencies with `Depends()`.
-
-Unless asked not to, create a new type alias for the dependency to allow re-using it.
-
-```python
-from typing import Annotated
-
-from fastapi import Depends, FastAPI
-
-app = FastAPI()
-
-
-def get_current_user():
-    return {"username": "johndoe"}
-
-
-CurrentUserDep = Annotated[dict, Depends(get_current_user)]
-
-
-@app.get("/items/")
-async def read_item(current_user: CurrentUserDep):
-    return {"message": "Hello World"}
-```
-
-instead of:
-
-```python
-# DO NOT DO THIS
-@app.get("/items/")
-async def read_item(current_user: dict = Depends(get_current_user)):
-    return {"message": "Hello World"}
-```
-
-## Do not use Ellipsis for *path operations* or Pydantic models
-
-Do not use `...` as a default value for required parameters, it's not needed and not recommended.
-
-Do this, without Ellipsis (`...`):
-
-```python
-from typing import Annotated
-
-from fastapi import FastAPI, Query
-from pydantic import BaseModel, Field
-
-
-class Item(BaseModel):
-    name: str
-    description: str | None = None
-    price: float = Field(gt=0)
-
-
-app = FastAPI()
-
-
-@app.post("/items/")
-async def create_item(item: Item, project_id: Annotated[int, Query()]): ...
-```
-
-instead of this:
-
-```python
-# DO NOT DO THIS
-class Item(BaseModel):
-    name: str = ...
-    description: str | None = None
-    price: float = Field(..., gt=0)
-
-
-app = FastAPI()
-
-
-@app.post("/items/")
-async def create_item(item: Item, project_id: Annotated[int, Query(...)]): ...
-```
-
-## Return Type or Response Model
-
-When possible, include a return type. It will be used to validate, filter, document, and serialize the response.
-
-```python
-from fastapi import FastAPI
-from pydantic import BaseModel
-
-app = FastAPI()
-
-
-class Item(BaseModel):
-    name: str
-    description: str | None = None
-
-
-@app.get("/items/me")
-async def get_item() -> Item:
-    return Item(name="Plumbus", description="All-purpose home device")
-```
-
-**Important**: Return types or response models are what filter data ensuring no sensitive information is exposed. And they are used to serialize data with Pydantic (in Rust), this is the main idea that can increase response performance.
-
-The return type doesn't have to be a Pydantic model, it could be a different type, like a list of integers, or a dict, etc.
-
-### When to use `response_model` instead
-
-If the return type is not the same as the type that you want to use to validate, filter, or serialize, use the `response_model` parameter on the decorator instead.
-
-```python
-from typing import Any
-
-from fastapi import FastAPI
-from pydantic import BaseModel
-
-app = FastAPI()
-
-
-class Item(BaseModel):
-    name: str
-    description: str | None = None
-
-
-@app.get("/items/me", response_model=Item)
-async def get_item() -> Any:
-    return {"name": "Foo", "description": "A very nice Item"}
-```
-
-This can be particularly useful when filtering data to expose only the public fields and avoid exposing sensitive information.
-
-```python
-from typing import Any
-
-from fastapi import FastAPI
-from pydantic import BaseModel
-
-app = FastAPI()
-
-
-class InternalItem(BaseModel):
-    name: str
-    description: str | None = None
-    secret_key: str
-
-
-class Item(BaseModel):
-    name: str
-    description: str | None = None
-
-
-@app.get("/items/me", response_model=Item)
-async def get_item() -> Any:
-    item = InternalItem(
-        name="Foo", description="A very nice Item", secret_key="supersecret"
-    )
-    return item
-```
-
-## Performance
-
-Do not use `ORJSONResponse` or `UJSONResponse`, they are deprecated.
-
-Instead, declare a return type or response model. Pydantic will handle the data serialization on the Rust side.
-
-## Including Routers
-
-When declaring routers, prefer to add router level parameters like prefix, tags, etc. to the router itself, instead of in `include_router()`.
-
-Do this:
-
-```python
-from fastapi import APIRouter, FastAPI
-
-app = FastAPI()
-
-router = APIRouter(prefix="/items", tags=["items"])
-
-
-@router.get("/")
-async def list_items():
-    return []
-
-
-# In main.py
-app.include_router(router)
-```
-
-instead of this:
-
-```python
-# DO NOT DO THIS
-from fastapi import APIRouter, FastAPI
-
-app = FastAPI()
-
-router = APIRouter()
-
-
-@router.get("/")
-async def list_items():
-    return []
-
-
-# In main.py
-app.include_router(router, prefix="/items", tags=["items"])
-```
-
-There could be exceptions, but try to follow this convention.
-
-Apply shared dependencies at the router level via `dependencies=[Depends(...)]`.
-
-## Dependency Injection
-
-Use dependencies when:
-
-* They can't be declared in Pydantic validation and require additional logic
-* The logic depends on external resources or could block in any other way
-* Other dependencies need their results (it's a sub-dependency)
-* The logic can be shared by multiple endpoints to do things like error early, authentication, etc.
-* They need to handle cleanup (e.g., DB sessions, file handles), using dependencies with `yield`
-* Their logic needs input data from the request, like headers, query parameters, etc.
-
-### Dependencies with `yield` and `scope`
-
-When using dependencies with `yield`, they can have a `scope` that defines when the exit code is run.
-
-Use the default scope `"request"` to run the exit code after the response is sent back.
-
-```python
-from typing import Annotated
-
-from fastapi import Depends, FastAPI
-
-app = FastAPI()
-
-
-def get_db():
-    db = DBSession()
-    try:
-        yield db
-    finally:
-        db.close()
-
-
-DBDep = Annotated[DBSession, Depends(get_db)]
-
-
-@app.get("/items/")
-async def read_items(db: DBDep):
-    return db.query(Item).all()
-```
-
-Use the scope `"function"` when they should run the exit code after the response data is generated but before the response is sent back to the client.
-
-```python
-from typing import Annotated
-
-from fastapi import Depends, FastAPI
-
-app = FastAPI()
-
-
-def get_username():
-    try:
-        yield "Rick"
-    finally:
-        print("Cleanup up before response is sent")
-
-UserNameDep = Annotated[str, Depends(get_username, scope="function")]
-
-@app.get("/users/me")
-def get_user_me(username: UserNameDep):
-    return username
-```
-
-### Class Dependencies
-
-Avoid creating class dependencies when possible.
-
-If a class is needed, instead create a regular function dependency that returns a class instance.
-
-Do this:
-
-```python
-from dataclasses import dataclass
-from typing import Annotated
-
-from fastapi import Depends, FastAPI
-
-app = FastAPI()
-
-
-@dataclass
-class DatabasePaginator:
-    offset: int = 0
-    limit: int = 100
-    q: str | None = None
-
-    def get_page(self) -> dict:
-        # Simulate a page of data
-        return {
-            "offset": self.offset,
-            "limit": self.limit,
-            "q": self.q,
-            "items": [],
-        }
-
-
-def get_db_paginator(
-    offset: int = 0, limit: int = 100, q: str | None = None
-) -> DatabasePaginator:
-    return DatabasePaginator(offset=offset, limit=limit, q=q)
-
-
-PaginatorDep = Annotated[DatabasePaginator, Depends(get_db_paginator)]
-
-
-@app.get("/items/")
-async def read_items(paginator: PaginatorDep):
-    return paginator.get_page()
-```
-
-instead of this:
-
-```python
-# DO NOT DO THIS
-from typing import Annotated
-
-from fastapi import Depends, FastAPI
-
-app = FastAPI()
-
-
-class DatabasePaginator:
-    def __init__(self, offset: int = 0, limit: int = 100, q: str | None = None):
-        self.offset = offset
-        self.limit = limit
-        self.q = q
-
-    def get_page(self) -> dict:
-        # Simulate a page of data
-        return {
-            "offset": self.offset,
-            "limit": self.limit,
-            "q": self.q,
-            "items": [],
-        }
-
-
-@app.get("/items/")
-async def read_items(paginator: Annotated[DatabasePaginator, Depends()]):
-    return paginator.get_page()
-```
-
-## Async vs Sync *path operations*
-
-Use `async` *path operations* only when fully certain that the logic called inside is compatible with async and await (it's called with `await`) or that doesn't block.
-
-```python
-from fastapi import FastAPI
-
-app = FastAPI()
-
-
-# Use async def when calling async code
-@app.get("/async-items/")
-async def read_async_items():
-    data = await some_async_library.fetch_items()
-    return data
-
-
-# Use plain def when calling blocking/sync code or when in doubt
-@app.get("/items/")
-def read_items():
-    data = some_blocking_library.fetch_items()
-    return data
-```
-
-In case of doubt, or by default, use regular `def` functions, those will be run in a threadpool so they don't block the event loop.
-
-The same rules apply to dependencies.
-
-Make sure blocking code is not run inside of `async` functions. The logic will work, but will damage the performance heavily.
-
-### Asyncer
-
-When needing to run blocking code inside of async functions, or async code inside of blocking functions, suggest using Asyncer.
-
-Install:
-
-```bash
-uv add asyncer
-```
-
-Run blocking sync code inside of async with `asyncify()`:
-
-```python
-from asyncer import asyncify
-from fastapi import FastAPI
-
-app = FastAPI()
-
-
-def do_blocking_work(name: str) -> str:
-    # Some blocking I/O operation
-    return f"Hello {name}"
-
-
-@app.get("/items/")
-async def read_items():
-    result = await asyncify(do_blocking_work)(name="World")
-    return {"message": result}
-```
-
-And run async code inside of blocking sync code with `syncify()`:
-
-```python
-from asyncer import syncify
-from fastapi import FastAPI
-
-app = FastAPI()
-
-
-async def do_async_work(name: str) -> str:
-    return f"Hello {name}"
-
-
-@app.get("/items/")
-def read_items():
-    result = syncify(do_async_work)(name="World")
-    return {"message": result}
-```
-
-## Use uv, ruff, ty
-
-If uv is available, use it to manage dependencies.
-
-If Ruff is available, use it to lint and format the code. Consider enabling the FastAPI rules.
-
-If ty is available, use it to check types.
-
-## SQLModel for SQL databases
-
-When working with SQL databases, prefer using SQLModel as it is integrated with Pydantic and will allow declaring data validation with the same models.
-
-## Do not use Pydantic RootModels
-
-Do not use Pydantic `RootModel`, instead use regular type annotations with `Annotated` and Pydantic validation utilities.
-
-For example, for a list with validations you could do:
-
-```python
-from typing import Annotated
-
-from fastapi import Body, FastAPI
-from pydantic import Field
-
-app = FastAPI()
-
-
-@app.post("/items/")
-async def create_items(items: Annotated[list[int], Field(min_length=1), Body()]):
-    return items
-```
-
-instead of:
-
-```python
-# DO NOT DO THIS
-from typing import Annotated
-
-from fastapi import FastAPI
-from pydantic import Field, RootModel
-
-app = FastAPI()
-
-
-class ItemList(RootModel[Annotated[list[int], Field(min_length=1)]]):
-    pass
-
-
-@app.post("/items/")
-async def create_items(items: ItemList):
-    return items
-
-```
-
-FastAPI supports these type annotations and will create a Pydantic `TypeAdapter` for them, so that types can work as normally and there's no need for the custom logic and types in RootModels.
-
-## Use one HTTP operation per function
-
-Don't mix HTTP operations in a single function, having one function per HTTP operation helps separate concerns and organize the code.
-
-Do this:
-
-```python
-from fastapi import FastAPI
-from pydantic import BaseModel
-
-app = FastAPI()
-
-
-class Item(BaseModel):
-    name: str
-
-
-@app.get("/items/")
-async def list_items():
-    return []
-
-
-@app.post("/items/")
-async def create_item(item: Item):
-    return item
-```
-
-instead of this:
-
-```python
-# DO NOT DO THIS
-from fastapi import FastAPI, Request
-from pydantic import BaseModel
-
-app = FastAPI()
-
-
-class Item(BaseModel):
-    name: str
-
-
-@app.api_route("/items/", methods=["GET", "POST"])
-async def handle_items(request: Request):
-    if request.method == "GET":
-        return []
-```

fastapi/__init__.py

@@ -1,6 +1,6 @@
 """FastAPI framework, high performance, easy to learn, fast to code, ready for production"""
 
-__version__ = "0.133.1"
+__version__ = "0.131.0"
 
 from starlette import status as status
 

fastapi/applications.py

@@ -840,29 +840,6 @@ class FastAPI(Starlette):
                 """
             ),
         ] = None,
-        strict_content_type: Annotated[
-            bool,
-            Doc(
-                """
-                Enable strict checking for request Content-Type headers.
-
-                When `True` (the default), requests with a body that do not include
-                a `Content-Type` header will **not** be parsed as JSON.
-
-                This prevents potential cross-site request forgery (CSRF) attacks
-                that exploit the browser's ability to send requests without a
-                Content-Type header, bypassing CORS preflight checks. In particular
-                applicable for apps that need to be run locally (in localhost).
-
-                When `False`, requests without a `Content-Type` header will have
-                their body parsed as JSON, which maintains compatibility with
-                certain clients that don't send `Content-Type` headers.
-
-                Read more about it in the
-                [FastAPI docs for Strict Content-Type](https://fastapi.tiangolo.com/advanced/strict-content-type/).
-                """
-            ),
-        ] = True,
         **extra: Annotated[
             Any,
             Doc(
@@ -997,7 +974,6 @@ class FastAPI(Starlette):
             include_in_schema=include_in_schema,
             responses=responses,
             generate_unique_id_function=generate_unique_id_function,
-            strict_content_type=strict_content_type,
         )
         self.exception_handlers: dict[
             Any, Callable[[Request, Any], Response | Awaitable[Response]]
@@ -1101,18 +1077,16 @@ class FastAPI(Starlette):
 
     def setup(self) -> None:
         if self.openapi_url:
+            urls = (server_data.get("url") for server_data in self.servers)
+            server_urls = {url for url in urls if url}
 
             async def openapi(req: Request) -> JSONResponse:
                 root_path = req.scope.get("root_path", "").rstrip("/")
-                schema = self.openapi()
-                if root_path and self.root_path_in_servers:
-                    server_urls = {s.get("url") for s in schema.get("servers", [])}
-                    if root_path not in server_urls:
-                        schema = dict(schema)
-                        schema["servers"] = [{"url": root_path}] + schema.get(
-                            "servers", []
-                        )
-                return JSONResponse(schema)
+                if root_path not in server_urls:
+                    if root_path and self.root_path_in_servers:
+                        self.servers.insert(0, {"url": root_path})
+                        server_urls.add(root_path)
+                return JSONResponse(self.openapi())
 
             self.add_route(self.openapi_url, openapi, include_in_schema=False)
         if self.openapi_url and self.docs_url:

fastapi/openapi/docs.py

@@ -5,20 +5,6 @@ from annotated_doc import Doc
 from fastapi.encoders import jsonable_encoder
 from starlette.responses import HTMLResponse
 
-
-def _html_safe_json(value: Any) -> str:
-    """Serialize a value to JSON with HTML special characters escaped.
-
-    This prevents injection when the JSON is embedded inside a <script> tag.
-    """
-    return (
-        json.dumps(value)
-        .replace("<", "\\u003c")
-        .replace(">", "\\u003e")
-        .replace("&", "\\u0026")
-    )
-
-
 swagger_ui_default_parameters: Annotated[
     dict[str, Any],
     Doc(
@@ -169,7 +155,7 @@ def get_swagger_ui_html(
     """
 
     for key, value in current_swagger_ui_parameters.items():
-        html += f"{_html_safe_json(key)}: {_html_safe_json(jsonable_encoder(value))},\n"
+        html += f"{json.dumps(key)}: {json.dumps(jsonable_encoder(value))},\n"
 
     if oauth2_redirect_url:
         html += f"oauth2RedirectUrl: window.location.origin + '{oauth2_redirect_url}',"
@@ -183,7 +169,7 @@ def get_swagger_ui_html(
 
     if init_oauth:
         html += f"""
-        ui.initOAuth({_html_safe_json(jsonable_encoder(init_oauth))})
+        ui.initOAuth({json.dumps(jsonable_encoder(init_oauth))})
         """
 
     html += """

fastapi/routing.py

@@ -329,7 +329,6 @@ def get_request_handler(
     response_model_exclude_none: bool = False,
     dependency_overrides_provider: Any | None = None,
     embed_body_fields: bool = False,
-    strict_content_type: bool | DefaultPlaceholder = Default(True),
 ) -> Callable[[Request], Coroutine[Any, Any, Response]]:
     assert dependant.call is not None, "dependant.call must be a function"
     is_coroutine = dependant.is_coroutine_callable
@@ -338,10 +337,6 @@ def get_request_handler(
         actual_response_class: type[Response] = response_class.value
     else:
         actual_response_class = response_class
-    if isinstance(strict_content_type, DefaultPlaceholder):
-        actual_strict_content_type: bool = strict_content_type.value
-    else:
-        actual_strict_content_type = strict_content_type
 
     async def app(request: Request) -> Response:
         response: Response | None = None
@@ -375,8 +370,7 @@ def get_request_handler(
                         json_body: Any = Undefined
                         content_type_value = request.headers.get("content-type")
                         if not content_type_value:
-                            if not actual_strict_content_type:
-                                json_body = await request.json()
+                            json_body = await request.json()
                         else:
                             message = email.message.Message()
                             message["content-type"] = content_type_value
@@ -605,7 +599,6 @@ class APIRoute(routing.Route):
         openapi_extra: dict[str, Any] | None = None,
         generate_unique_id_function: Callable[["APIRoute"], str]
         | DefaultPlaceholder = Default(generate_unique_id),
-        strict_content_type: bool | DefaultPlaceholder = Default(True),
     ) -> None:
         self.path = path
         self.endpoint = endpoint
@@ -632,7 +625,6 @@ class APIRoute(routing.Route):
         self.callbacks = callbacks
         self.openapi_extra = openapi_extra
         self.generate_unique_id_function = generate_unique_id_function
-        self.strict_content_type = strict_content_type
         self.tags = tags or []
         self.responses = responses or {}
         self.name = get_name(endpoint) if name is None else name
@@ -721,7 +713,6 @@ class APIRoute(routing.Route):
             response_model_exclude_none=self.response_model_exclude_none,
             dependency_overrides_provider=self.dependency_overrides_provider,
             embed_body_fields=self._embed_body_fields,
-            strict_content_type=self.strict_content_type,
         )
 
     def matches(self, scope: Scope) -> tuple[Match, Scope]:
@@ -972,29 +963,6 @@ class APIRouter(routing.Router):
                 """
             ),
         ] = Default(generate_unique_id),
-        strict_content_type: Annotated[
-            bool,
-            Doc(
-                """
-                Enable strict checking for request Content-Type headers.
-
-                When `True` (the default), requests with a body that do not include
-                a `Content-Type` header will **not** be parsed as JSON.
-
-                This prevents potential cross-site request forgery (CSRF) attacks
-                that exploit the browser's ability to send requests without a
-                Content-Type header, bypassing CORS preflight checks. In particular
-                applicable for apps that need to be run locally (in localhost).
-
-                When `False`, requests without a `Content-Type` header will have
-                their body parsed as JSON, which maintains compatibility with
-                certain clients that don't send `Content-Type` headers.
-
-                Read more about it in the
-                [FastAPI docs for Strict Content-Type](https://fastapi.tiangolo.com/advanced/strict-content-type/).
-                """
-            ),
-        ] = Default(True),
     ) -> None:
         # Determine the lifespan context to use
         if lifespan is None:
@@ -1041,7 +1009,6 @@ class APIRouter(routing.Router):
         self.route_class = route_class
         self.default_response_class = default_response_class
         self.generate_unique_id_function = generate_unique_id_function
-        self.strict_content_type = strict_content_type
 
     def route(
         self,
@@ -1092,7 +1059,6 @@ class APIRouter(routing.Router):
         openapi_extra: dict[str, Any] | None = None,
         generate_unique_id_function: Callable[[APIRoute], str]
         | DefaultPlaceholder = Default(generate_unique_id),
-        strict_content_type: bool | DefaultPlaceholder = Default(True),
     ) -> None:
         route_class = route_class_override or self.route_class
         responses = responses or {}
@@ -1139,9 +1105,6 @@ class APIRouter(routing.Router):
             callbacks=current_callbacks,
             openapi_extra=openapi_extra,
             generate_unique_id_function=current_generate_unique_id,
-            strict_content_type=get_value_or_default(
-                strict_content_type, self.strict_content_type
-            ),
         )
         self.routes.append(route)
 
@@ -1517,11 +1480,6 @@ class APIRouter(routing.Router):
                     callbacks=current_callbacks,
                     openapi_extra=route.openapi_extra,
                     generate_unique_id_function=current_generate_unique_id,
-                    strict_content_type=get_value_or_default(
-                        route.strict_content_type,
-                        router.strict_content_type,
-                        self.strict_content_type,
-                    ),
                 )
             elif isinstance(route, routing.Route):
                 methods = list(route.methods or [])

pyproject.toml

@@ -42,7 +42,7 @@ classifiers = [
     "Topic :: Internet :: WWW/HTTP",
 ]
 dependencies = [
-    "starlette>=0.40.0",
+    "starlette>=0.40.0,<1.0.0",
     "pydantic>=2.7.0",
     "typing-extensions>=4.8.0",
     "typing-inspection>=0.4.2",

scripts/tests/test_translation_fixer/conftest.py

@@ -10,17 +10,9 @@ skip_on_windows = pytest.mark.skipif(
 )
 
 
-THIS_DIR = Path(__file__).parent.resolve()
-
-
-def pytest_collection_modifyitems(config, items: list[pytest.Item]) -> None:
-    if sys.platform != "win32":
-        return
-
+def pytest_collection_modifyitems(items: list[pytest.Item]) -> None:
     for item in items:
-        item_path = Path(item.fspath).resolve()
-        if item_path.is_relative_to(THIS_DIR):
-            item.add_marker(skip_on_windows)
+        item.add_marker(skip_on_windows)
 
 
 @pytest.fixture(name="runner")

tests/test_openapi_cache_root_path.py

@@ -1,75 +0,0 @@
-from fastapi import FastAPI
-from fastapi.testclient import TestClient
-
-
-def test_root_path_does_not_persist_across_requests():
-    app = FastAPI()
-
-    @app.get("/")
-    def read_root():  # pragma: no cover
-        return {"ok": True}
-
-    # Attacker request with a spoofed root_path
-    attacker_client = TestClient(app, root_path="/evil-api")
-    response1 = attacker_client.get("/openapi.json")
-    data1 = response1.json()
-    assert any(s.get("url") == "/evil-api" for s in data1.get("servers", []))
-
-    # Subsequent legitimate request with no root_path
-    clean_client = TestClient(app)
-    response2 = clean_client.get("/openapi.json")
-    data2 = response2.json()
-    servers = [s.get("url") for s in data2.get("servers", [])]
-    assert "/evil-api" not in servers
-
-
-def test_multiple_different_root_paths_do_not_accumulate():
-    app = FastAPI()
-
-    @app.get("/")
-    def read_root():  # pragma: no cover
-        return {"ok": True}
-
-    for prefix in ["/path-a", "/path-b", "/path-c"]:
-        c = TestClient(app, root_path=prefix)
-        c.get("/openapi.json")
-
-    # A clean request should not have any of them
-    clean_client = TestClient(app)
-    response = clean_client.get("/openapi.json")
-    data = response.json()
-    servers = [s.get("url") for s in data.get("servers", [])]
-    for prefix in ["/path-a", "/path-b", "/path-c"]:
-        assert prefix not in servers, (
-            f"root_path '{prefix}' leaked into clean request: {servers}"
-        )
-
-
-def test_legitimate_root_path_still_appears():
-    app = FastAPI()
-
-    @app.get("/")
-    def read_root():  # pragma: no cover
-        return {"ok": True}
-
-    client = TestClient(app, root_path="/api/v1")
-    response = client.get("/openapi.json")
-    data = response.json()
-    servers = [s.get("url") for s in data.get("servers", [])]
-    assert "/api/v1" in servers
-
-
-def test_configured_servers_not_mutated():
-    configured_servers = [{"url": "https://prod.example.com"}]
-    app = FastAPI(servers=configured_servers)
-
-    @app.get("/")
-    def read_root():  # pragma: no cover
-        return {"ok": True}
-
-    # Request with a rogue root_path
-    attacker_client = TestClient(app, root_path="/evil")
-    attacker_client.get("/openapi.json")
-
-    # The original servers list must be untouched
-    assert configured_servers == [{"url": "https://prod.example.com"}]

tests/test_strict_content_type_app_level.py

@@ -1,44 +0,0 @@
-from fastapi import FastAPI
-from fastapi.testclient import TestClient
-
-app_default = FastAPI()
-
-
-@app_default.post("/items/")
-async def app_default_post(data: dict):
-    return data
-
-
-app_lax = FastAPI(strict_content_type=False)
-
-
-@app_lax.post("/items/")
-async def app_lax_post(data: dict):
-    return data
-
-
-client_default = TestClient(app_default)
-client_lax = TestClient(app_lax)
-
-
-def test_default_strict_rejects_no_content_type():
-    response = client_default.post("/items/", content='{"key": "value"}')
-    assert response.status_code == 422
-
-
-def test_default_strict_accepts_json_content_type():
-    response = client_default.post("/items/", json={"key": "value"})
-    assert response.status_code == 200
-    assert response.json() == {"key": "value"}
-
-
-def test_lax_accepts_no_content_type():
-    response = client_lax.post("/items/", content='{"key": "value"}')
-    assert response.status_code == 200
-    assert response.json() == {"key": "value"}
-
-
-def test_lax_accepts_json_content_type():
-    response = client_lax.post("/items/", json={"key": "value"})
-    assert response.status_code == 200
-    assert response.json() == {"key": "value"}

tests/test_strict_content_type_nested.py

@@ -1,91 +0,0 @@
-from fastapi import APIRouter, FastAPI
-from fastapi.testclient import TestClient
-
-# Lax app with nested routers, inner overrides to strict
-
-app_nested = FastAPI(strict_content_type=False)  # lax app
-outer_router = APIRouter(prefix="/outer")  # inherits lax from app
-inner_strict = APIRouter(prefix="/strict", strict_content_type=True)
-inner_default = APIRouter(prefix="/default")
-
-
-@inner_strict.post("/items/")
-async def inner_strict_post(data: dict):
-    return data
-
-
-@inner_default.post("/items/")
-async def inner_default_post(data: dict):
-    return data
-
-
-outer_router.include_router(inner_strict)
-outer_router.include_router(inner_default)
-app_nested.include_router(outer_router)
-
-client_nested = TestClient(app_nested)
-
-
-def test_strict_inner_on_lax_app_rejects_no_content_type():
-    response = client_nested.post("/outer/strict/items/", content='{"key": "value"}')
-    assert response.status_code == 422
-
-
-def test_default_inner_inherits_lax_from_app():
-    response = client_nested.post("/outer/default/items/", content='{"key": "value"}')
-    assert response.status_code == 200
-    assert response.json() == {"key": "value"}
-
-
-def test_strict_inner_accepts_json_content_type():
-    response = client_nested.post("/outer/strict/items/", json={"key": "value"})
-    assert response.status_code == 200
-
-
-def test_default_inner_accepts_json_content_type():
-    response = client_nested.post("/outer/default/items/", json={"key": "value"})
-    assert response.status_code == 200
-
-
-# Strict app -> lax outer router -> strict inner router
-
-app_mixed = FastAPI(strict_content_type=True)
-mixed_outer = APIRouter(prefix="/outer", strict_content_type=False)
-mixed_inner = APIRouter(prefix="/inner", strict_content_type=True)
-
-
-@mixed_outer.post("/items/")
-async def mixed_outer_post(data: dict):
-    return data
-
-
-@mixed_inner.post("/items/")
-async def mixed_inner_post(data: dict):
-    return data
-
-
-mixed_outer.include_router(mixed_inner)
-app_mixed.include_router(mixed_outer)
-
-client_mixed = TestClient(app_mixed)
-
-
-def test_lax_outer_on_strict_app_accepts_no_content_type():
-    response = client_mixed.post("/outer/items/", content='{"key": "value"}')
-    assert response.status_code == 200
-    assert response.json() == {"key": "value"}
-
-
-def test_strict_inner_on_lax_outer_rejects_no_content_type():
-    response = client_mixed.post("/outer/inner/items/", content='{"key": "value"}')
-    assert response.status_code == 422
-
-
-def test_lax_outer_accepts_json_content_type():
-    response = client_mixed.post("/outer/items/", json={"key": "value"})
-    assert response.status_code == 200
-
-
-def test_strict_inner_on_lax_outer_accepts_json_content_type():
-    response = client_mixed.post("/outer/inner/items/", json={"key": "value"})
-    assert response.status_code == 200

tests/test_strict_content_type_router_level.py

@@ -1,61 +0,0 @@
-from fastapi import APIRouter, FastAPI
-from fastapi.testclient import TestClient
-
-app = FastAPI()
-
-router_lax = APIRouter(prefix="/lax", strict_content_type=False)
-router_strict = APIRouter(prefix="/strict", strict_content_type=True)
-router_default = APIRouter(prefix="/default")
-
-
-@router_lax.post("/items/")
-async def router_lax_post(data: dict):
-    return data
-
-
-@router_strict.post("/items/")
-async def router_strict_post(data: dict):
-    return data
-
-
-@router_default.post("/items/")
-async def router_default_post(data: dict):
-    return data
-
-
-app.include_router(router_lax)
-app.include_router(router_strict)
-app.include_router(router_default)
-
-client = TestClient(app)
-
-
-def test_lax_router_on_strict_app_accepts_no_content_type():
-    response = client.post("/lax/items/", content='{"key": "value"}')
-    assert response.status_code == 200
-    assert response.json() == {"key": "value"}
-
-
-def test_strict_router_on_strict_app_rejects_no_content_type():
-    response = client.post("/strict/items/", content='{"key": "value"}')
-    assert response.status_code == 422
-
-
-def test_default_router_inherits_strict_from_app():
-    response = client.post("/default/items/", content='{"key": "value"}')
-    assert response.status_code == 422
-
-
-def test_lax_router_accepts_json_content_type():
-    response = client.post("/lax/items/", json={"key": "value"})
-    assert response.status_code == 200
-
-
-def test_strict_router_accepts_json_content_type():
-    response = client.post("/strict/items/", json={"key": "value"})
-    assert response.status_code == 200
-
-
-def test_default_router_accepts_json_content_type():
-    response = client.post("/default/items/", json={"key": "value"})
-    assert response.status_code == 200

tests/test_swagger_ui_escape.py

@@ -1,37 +0,0 @@
-from fastapi.openapi.docs import get_swagger_ui_html
-
-
-def test_init_oauth_html_chars_are_escaped():
-    xss_payload = "Evil</script><script>alert(1)</script>"
-    html = get_swagger_ui_html(
-        openapi_url="/openapi.json",
-        title="Test",
-        init_oauth={"appName": xss_payload},
-    )
-    body = html.body.decode()
-
-    assert "</script><script>" not in body
-    assert "\\u003c/script\\u003e\\u003cscript\\u003e" in body
-
-
-def test_swagger_ui_parameters_html_chars_are_escaped():
-    html = get_swagger_ui_html(
-        openapi_url="/openapi.json",
-        title="Test",
-        swagger_ui_parameters={"customKey": "<img src=x onerror=alert(1)>"},
-    )
-    body = html.body.decode()
-    assert "<img src=x onerror=alert(1)>" not in body
-    assert "\\u003cimg" in body
-
-
-def test_normal_init_oauth_still_works():
-    html = get_swagger_ui_html(
-        openapi_url="/openapi.json",
-        title="Test",
-        init_oauth={"clientId": "my-client", "appName": "My App"},
-    )
-    body = html.body.decode()
-    assert '"clientId": "my-client"' in body
-    assert '"appName": "My App"' in body
-    assert "ui.initOAuth" in body

tests/test_tutorial/test_body/test_tutorial001.py

@@ -189,12 +189,18 @@ def test_geo_json(client: TestClient):
     assert response.status_code == 200, response.text
 
 
-def test_no_content_type_json(client: TestClient):
+def test_no_content_type_is_json(client: TestClient):
     response = client.post(
         "/items/",
         content='{"name": "Foo", "price": 50.5}',
     )
-    assert response.status_code == 422, response.text
+    assert response.status_code == 200, response.text
+    assert response.json() == {
+        "name": "Foo",
+        "description": None,
+        "price": 50.5,
+        "tax": None,
+    }
 
 
 def test_wrong_headers(client: TestClient):

tests/test_tutorial/test_strict_content_type/test_tutorial001.py

@@ -1,43 +0,0 @@
-import importlib
-
-import pytest
-from fastapi.testclient import TestClient
-
-
-@pytest.fixture(
-    name="client",
-    params=[
-        "tutorial001_py310",
-    ],
-)
-def get_client(request: pytest.FixtureRequest):
-    mod = importlib.import_module(f"docs_src.strict_content_type.{request.param}")
-    client = TestClient(mod.app)
-    return client
-
-
-def test_lax_post_without_content_type_is_parsed_as_json(client: TestClient):
-    response = client.post(
-        "/items/",
-        content='{"name": "Foo", "price": 50.5}',
-    )
-    assert response.status_code == 200, response.text
-    assert response.json() == {"name": "Foo", "price": 50.5}
-
-
-def test_lax_post_with_json_content_type(client: TestClient):
-    response = client.post(
-        "/items/",
-        json={"name": "Foo", "price": 50.5},
-    )
-    assert response.status_code == 200, response.text
-    assert response.json() == {"name": "Foo", "price": 50.5}
-
-
-def test_lax_post_with_text_plain_is_still_rejected(client: TestClient):
-    response = client.post(
-        "/items/",
-        content='{"name": "Foo", "price": 50.5}',
-        headers={"Content-Type": "text/plain"},
-    )
-    assert response.status_code == 422, response.text

uv.lock

@@ -1242,7 +1242,7 @@ requires-dist = [
     { name = "python-multipart", marker = "extra == 'standard'", specifier = ">=0.0.18" },
     { name = "python-multipart", marker = "extra == 'standard-no-fastapi-cloud-cli'", specifier = ">=0.0.18" },
     { name = "pyyaml", marker = "extra == 'all'", specifier = ">=5.3.1" },
-    { name = "starlette", specifier = ">=0.40.0" },
+    { name = "starlette", specifier = ">=0.40.0,<1.0.0" },
     { name = "typing-extensions", specifier = ">=4.8.0" },
     { name = "typing-inspection", specifier = ">=0.4.2" },
     { name = "uvicorn", extras = ["standard"], marker = "extra == 'all'", specifier = ">=0.12.0" },
@@ -6000,14 +6000,14 @@ wheels = [
 
 [[package]]
 name = "werkzeug"
-version = "3.1.5"
+version = "3.1.6"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "markupsafe" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/5a/70/1469ef1d3542ae7c2c7b72bd5e3a4e6ee69d7978fa8a3af05a38eca5becf/werkzeug-3.1.5.tar.gz", hash = "sha256:6a548b0e88955dd07ccb25539d7d0cc97417ee9e179677d22c7041c8f078ce67", size = 864754, upload-time = "2026-01-08T17:49:23.247Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/61/f1/ee81806690a87dab5f5653c1f146c92bc066d7f4cebc603ef88eb9e13957/werkzeug-3.1.6.tar.gz", hash = "sha256:210c6bede5a420a913956b4791a7f4d6843a43b6fcee4dfa08a65e93007d0d25", size = 864736, upload-time = "2026-02-19T15:17:18.884Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/ad/e4/8d97cca767bcc1be76d16fb76951608305561c6e056811587f36cb1316a8/werkzeug-3.1.5-py3-none-any.whl", hash = "sha256:5111e36e91086ece91f93268bb39b4a35c1e6f1feac762c9c822ded0a4e322dc", size = 225025, upload-time = "2026-01-08T17:49:21.859Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/ec/d58832f89ede95652fd01f4f24236af7d32b70cab2196dfcc2d2fd13c5c2/werkzeug-3.1.6-py3-none-any.whl", hash = "sha256:7ddf3357bb9564e407607f988f683d72038551200c704012bb9a4c523d42f131", size = 225166, upload-time = "2026-02-19T15:17:17.475Z" },
 ]
 
 [[package]]