A Decade Strong: How PSF and Fastly Secure Python’s Community and Ecosystem

The challenge

Mike Fiedler serves as the Python Package Index (PyPI) Safety and Security Engineer at the Python Software Foundation (PSF), a nonprofit organization whose mission is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. With an average of 100,000 requests per second sustained continuously, the service must maintain availability for legitimate users while defending against increasingly sophisticated threats. The small infrastructure team needed visibility into attack patterns, including account registration abuse, account takeover attempts, and automated scraping tools that overload their systems. As supply chain attacks become more prevalent across the industry, protecting package maintainers and popular packages from compromise has become critical.

The solution

Fastly has supported PyPI for over a decade, predating the formal creation of the Fast Forward program that now provides services to open-source projects and nonprofits. "Fastly has been a savior for the main package service, PyPI," Fiedler said. The partnership allows PyPI to manage massive traffic volumes while maintaining the open, accessible service the Python community depends on. With Fastly handling approximately 100,000 requests per second and achieving a 98 to 99% cache hit rate, the backend only processes 500 to 1,000 requests per second. This seamless traffic handling pairs with Fastly's Next-Gen WAF, which protects PyPI from potential security threats without compromising performance or accessibility. "We could not sustain the amount of load that we get as a service all the way to our back end without a significant increase in cost," Fiedler explained.

Real-time purging for rapidly changing content

PyPI's architecture requires a delicate balance between caching efficiency and content freshness. The service needs to cache extensively to handle the traffic volume, but must deliver updated information immediately after maintainers upload packages. "We want to cache everything, but have almost no tolerance for serving stale data," Fiedler noted. Fastly's ability to issue purges across the ecosystem within milliseconds enables PyPI to maintain both performance and accuracy. "No other CDN out there has been able to do something like that," he said. This capability is particularly critical for a service where developers depend on accessing the latest package versions immediately after release.

Filtering unwanted traffic without blocking legitimate users

As PyPI's security posture evolved, including the implementation of mandatory two-factor authentication, attack patterns shifted but persisted. The integration of Fastly's Next-Generation Web Application Firewall became essential for filtering unwanted traffic. "We've started onboarding the Next-Generation Web Application Firewall and have been using it to shed traffic that we don't necessarily want. That might be attackers, that might be bots," Fiedler said. The team deployed Dynamic Challenges, an adaptive security feature that allows Fastly to automatically choose the most appropriate client challenge based on the situation, including
Private Access Tokens (PATs), non-interactive challenges, and interactive challenges if suspicious activity is detected during the initial check. This approach helps distinguish human users from automated scripts without disrupting legitimate access. "If you behave like a human, we trust you as a human. But if you don't behave like a human, we don't want those interactions on our platform at the frequency that a lot of systems are hitting us with," he added. The WAF's observability tools help the team determine whether attacks are persisting or if protections can be eased."

Preparing for supply chain security threats

Looking ahead, Fiedler identified supply chain attacks as the single biggest security challenge for PyPI. "We've seen supply chain attacks on the rise across the industry, and it's not specific to Python or any other language ecosystem. Attackers are out there looking for the goods that we have because we are very popular and widely used," he explained. The team anticipates increased attempts to compromise popular packages and their maintainers. While they expect these threats to manifest, Fastly has them covered with robust protection features. Using information signals from Fastly's WAF observability, they detect account takeover attempts and registration fraud. The small infrastructure team is planning to integrate these security signals into their backend monitoring system, enabling more real-time responses to emerging threats.

Key takeaway

For Fiedler, working on PyPI represents a rare opportunity to contribute to open-source software at a meaningful scale. "I think that I am one of the few people who gets to work on open source as my full time job," he said. "After 30 years in the industry, I now have the ability to give back in a manner that is both meaningful and impactful to the end user community." While combating malicious actors can be frustrating, it serves as motivation to develop new approaches to security challenges. With Fastly's Fast Forward infrastructure support, PyPI maintains the open, free access the Python community expects while protecting the integrity of the package ecosystem that millions of developers rely on daily.