From 4bb328020098033642408c97e151e040b2543225 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Ram=C3=ADrez?= <tiangolo@gmail.com>
Date: Wed, 20 May 2026 18:05:12 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Update=20security?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 SECURITY.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 08e9ac0eed..8dfe393363 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -44,6 +44,18 @@ Please restrain from publicly discussing a potential security vulnerability. 
 
 It's better to discuss privately and try to find a solution first, to limit the potential impact as much as possible.
 
+## How FastAPI Handles Security
+
+If you are wondering, we implement security best practices in how the repository is handled, including:
+
+* Protected branches with required checks.
+* MFA required for team members.
+* Packages published via trusted publishing.
+* Sha-pinned GitHub Actions.
+* No GitHub Actions' workflows combining `pull_request_target` and `actions/checkout`.
+* Automated dependency PR updates, with a cool down period.
+* etc.
+
 ---
 
 Thanks for your help!