tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

name:: go-security-basics
description:: Security defaults that belong in every Go HTTP server from day one. CORS, security headers, rate limiting, input validation, SQL injection prevention, CSRF protection, TLS configuration, secrets management, graceful shutdown, and request timeouts. Apply these whenever you create or modify any Go web service -- do not wait for a security review or explicit request.
keywords:: go security, golang cors, rate limiting, security headers, input validation, go middleware, sql injection, csrf, tls, graceful shutdown, request timeout, secrets, environment variables, rs/cors, x/time/rate, database/sql, go web security, cors middleware, go http server
license:: MIT

Go Security Basics

Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

Every Go HTTP server needs these security defaults from day one -- do not wait for a security review to add them. These are not optional hardening steps; they are baseline requirements for any Go web service, the same way you would not ship a car without seatbelts.

When to apply this skill: Every time you create a new Go HTTP server, add routes to an existing one, or refactor a Go web project. Even if the task only asks you to "build a REST API" or "create CRUD endpoints," you MUST include all of these. A Go HTTP server without them is incomplete.

The 10 Things Every Go HTTP Server Needs

CORS middleware -- configured with explicit origins using rs/cors, not a hand-rolled wildcard
Security headers -- X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS
Rate limiting -- per-IP using golang.org/x/time/rate, stricter on auth endpoints
Input validation -- validate all user input before use, reject invalid data with 400
SQL injection prevention -- always use parameterized queries with $1 placeholders, never string concatenation
CSRF protection -- for any endpoint using cookie-based authentication
TLS configuration -- proper TLS 1.2+ config with secure cipher suites
Secrets from environment -- never hardcode secrets, always use os.Getenv
Graceful shutdown -- handle SIGTERM/SIGINT, drain connections before exit
Request timeouts -- read, write, idle timeouts on the server plus per-request context timeouts

These ten items are as fundamental as http.ListenAndServe. If your app starts a server but lacks these, it is not ready for any environment.

1. CORS Middleware (rs/cors)

Use the rs/cors package. Do not hand-roll CORS middleware -- it is easy to get wrong and miss edge cases like preflight caching, credential handling, and header exposure.

go get github.com/rs/cors

WRONG -- wildcard origin allows any site to call your API:

handler := cors.AllowAll().Handler(mux) // Access-Control-Allow-Origin: * -- dangerous

WRONG -- hand-rolled CORS that misses edge cases:

func corsMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Access-Control-Allow-Origin", "*") // Dangerous wildcard
        next.ServeHTTP(w, r)
    })
}

RIGHT -- explicit allowed origins from environment:

import "github.com/rs/cors"

func newCORSMiddleware() *cors.Cors {
    allowedOrigins := strings.Split(os.Getenv("ALLOWED_ORIGINS"), ",")
    if len(allowedOrigins) == 0 || allowedOrigins[0] == "" {
        allowedOrigins = []string{"http://localhost:5173"}
    }
    return cors.New(cors.Options{
        AllowedOrigins:   allowedOrigins,
        AllowedMethods:   []string{"GET", "POST", "PATCH", "DELETE", "OPTIONS"},
        AllowedHeaders:   []string{"Content-Type", "Authorization"},
        AllowCredentials: true, // Only if you use cookies/sessions
        MaxAge:           300,  // Cache preflight for 5 minutes
    })
}

// Usage:
c := newCORSMiddleware()
handler := c.Handler(mux)

Key rules:

Never use cors.AllowAll() or set AllowedOrigins: []string{"*"} in production
Always read allowed origins from environment variables
Set AllowCredentials: true only if you use cookies or Authorization headers
Set MaxAge to reduce preflight request overhead

2. Security Headers Middleware

WRONG -- no security headers at all:

mux := http.NewServeMux()
// Routes defined without any security headers
http.ListenAndServe(":8080", mux)

RIGHT -- security headers middleware before all routes:

func securityHeaders(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Content-Type-Options", "nosniff")
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
        w.Header().Set("X-XSS-Protection", "0") // Disable broken legacy filter
        w.Header().Set("Content-Security-Policy", "default-src 'self'")
        w.Header().Set("Permissions-Policy", "camera=(), microphone=(), geolocation=()")
        // HSTS -- only set when serving over TLS
        if r.TLS != nil {
            w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
        }
        next.ServeHTTP(w, r)
    })
}

What each header does:

X-Content-Type-Options: nosniff -- prevents MIME-type sniffing
X-Frame-Options: DENY -- prevents clickjacking by blocking iframes
Referrer-Policy -- controls how much URL info is sent to other sites
X-XSS-Protection: 0 -- disables broken legacy XSS filter (modern CSP is better)
Content-Security-Policy -- restricts resource loading origins (prevents XSS)
Permissions-Policy -- restricts browser feature access
Strict-Transport-Security -- enforces HTTPS for future visits

3. Rate Limiting (golang.org/x/time/rate)

go get golang.org/x/time/rate

WRONG -- no rate limiting at all:

mux.HandleFunc("POST /api/auth/login", loginHandler) // Unlimited login attempts

RIGHT -- per-IP rate limiting with cleanup:

import (
    "golang.org/x/time/rate"
    "sync"
    "time"
)

type RateLimiter struct {
    visitors map[string]*visitor
    mu       sync.Mutex
    rate     rate.Limit
    burst    int
}

type visitor struct {
    limiter  *rate.Limiter
    lastSeen time.Time
}

func NewRateLimiter(r rate.Limit, b int) *RateLimiter {
    rl := &RateLimiter{
        visitors: make(map[string]*visitor),
        rate:     r,
        burst:    b,
    }
    go rl.cleanup()
    return rl
}

func (rl *RateLimiter) cleanup() {
    for {
        time.Sleep(time.Minute)
        rl.mu.Lock()
        for ip, v := range rl.visitors {
            if time.Since(v.lastSeen) > 3*time.Minute {
                delete(rl.visitors, ip)
            }
        }
        rl.mu.Unlock()
    }
}

func (rl *RateLimiter) getLimiter(ip string) *rate.Limiter {
    rl.mu.Lock()
    defer rl.mu.Unlock()
    v, exists := rl.visitors[ip]
    if !exists {
        limiter := rate.NewLimiter(rl.rate, rl.burst)
        rl.visitors[ip] = &visitor{limiter: limiter, lastSeen: time.Now()}
        return limiter
    }
    v.lastSeen = time.Now()
    return v.limiter
}

func (rl *RateLimiter) Middleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        ip := r.RemoteAddr
        // Strip port from RemoteAddr
        if host, _, err := net.SplitHostPort(ip); err == nil {
            ip = host
        }
        if !rl.getLimiter(ip).Allow() {
            w.Header().Set("Retry-After", "60")
            http.Error(w, `{"error":{"code":"RATE_LIMITED","message":"Too many requests"}}`, http.StatusTooManyRequests)
            return
        }
        next.ServeHTTP(w, r)
    })
}

Create separate limiters for different endpoint tiers:

// General API: 100 requests/minute, burst 20
apiLimiter := NewRateLimiter(rate.Every(time.Minute/100), 20)

// Auth endpoints: 10 requests/minute, burst 5 (prevent brute force)
authLimiter := NewRateLimiter(rate.Every(time.Minute/10), 5)

mux.Handle("POST /api/auth/login", authLimiter.Middleware(http.HandlerFunc(loginHandler)))
mux.Handle("POST /api/auth/register", authLimiter.Middleware(http.HandlerFunc(registerHandler)))

Always apply a stricter rate limit on auth and mutation endpoints than the general API limit.

4. Input Validation

WRONG -- trusting user input directly:

func getUser(w http.ResponseWriter, r *http.Request) {
    id := r.PathValue("id")
    // Using id without validation -- could be anything
    user, _ := db.Query("SELECT * FROM users WHERE id = " + id) // SQL injection!
}

RIGHT -- validate all input before use:

func getUser(w http.ResponseWriter, r *http.Request) {
    idStr := r.PathValue("id")
    id, err := strconv.Atoi(idStr)
    if err != nil || id <= 0 {
        http.Error(w, `{"error":{"code":"INVALID_PARAM","message":"Invalid user ID"}}`, http.StatusBadRequest)
        return
    }
    // Now use validated id with parameterized query
    row := db.QueryRow("SELECT id, name, email FROM users WHERE id = $1", id)
    // ...
}

func createTask(w http.ResponseWriter, r *http.Request) {
    var req struct {
        Title       string `json:"title"`
        Description string `json:"description"`
    }
    if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
        http.Error(w, `{"error":{"code":"INVALID_JSON","message":"Invalid request body"}}`, http.StatusBadRequest)
        return
    }
    // Validate required fields
    req.Title = strings.TrimSpace(req.Title)
    if req.Title == "" {
        http.Error(w, `{"error":{"code":"VALIDATION_ERROR","message":"title is required"}}`, http.StatusBadRequest)
        return
    }
    if len(req.Title) > 200 {
        http.Error(w, `{"error":{"code":"VALIDATION_ERROR","message":"title must be 200 characters or less"}}`, http.StatusBadRequest)
        return
    }
    // Use validated input...
}

Request Body Size Limit

WRONG -- accepting unlimited body sizes:

json.NewDecoder(r.Body).Decode(&req) // No size limit -- attacker can send gigabytes

RIGHT -- limit request body size:

func maxBodySize(maxBytes int64) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            r.Body = http.MaxBytesReader(w, r.Body, maxBytes)
            next.ServeHTTP(w, r)
        })
    }
}

// Apply 1MB limit to all routes
handler := maxBodySize(1 << 20)(mux)

5. SQL Injection Prevention

This is the single most critical security rule for database access in Go. Always use parameterized queries with database/sql. Never concatenate user input into SQL strings.

WRONG -- string concatenation (SQL injection):

query := "SELECT * FROM users WHERE email = '" + email + "'"
db.Query(query) // Attacker sends: ' OR 1=1 --

query := fmt.Sprintf("SELECT * FROM tasks WHERE user_id = %s", userID)
db.Query(query) // SQL injection via userID

RIGHT -- parameterized queries with $1 placeholders:

// PostgreSQL uses $1, $2, etc.
row := db.QueryRow("SELECT id, name, email FROM users WHERE email = $1", email)

// For INSERT:
_, err := db.Exec(
    "INSERT INTO tasks (title, description, user_id) VALUES ($1, $2, $3)",
    task.Title, task.Description, userID,
)

// For UPDATE:
_, err := db.Exec(
    "UPDATE tasks SET title = $1, completed = $2 WHERE id = $3 AND user_id = $4",
    task.Title, task.Completed, taskID, userID,
)

// For DELETE:
_, err := db.Exec("DELETE FROM tasks WHERE id = $1 AND user_id = $2", taskID, userID)

// For IN clauses, build the placeholder list:
func buildPlaceholders(n int) string {
    placeholders := make([]string, n)
    for i := range placeholders {
        placeholders[i] = fmt.Sprintf("$%d", i+1)
    }
    return strings.Join(placeholders, ", ")
}

For SQLite, use ? instead of $1:

row := db.QueryRow("SELECT id, name FROM users WHERE id = ?", id)

Rules:

ALWAYS use $1, $2, etc. (PostgreSQL) or ? (SQLite/MySQL) for ALL user-supplied values
NEVER use fmt.Sprintf, +, or strings.Builder to build SQL with user input
NEVER interpolate user input into ORDER BY, LIMIT, or table names -- whitelist these values

6. CSRF Protection for Cookie-Based Auth

If your API uses cookies for authentication (sessions, JWTs in cookies), you need CSRF protection. Token-only APIs (Authorization: Bearer) do not need CSRF.

RIGHT -- CSRF token middleware for cookie-based auth:

import "crypto/rand"

func generateCSRFToken() (string, error) {
    b := make([]byte, 32)
    _, err := rand.Read(b)
    if err != nil {
        return "", err
    }
    return base64.URLEncoding.EncodeToString(b), nil
}

func csrfMiddleware(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        if r.Method == "GET" || r.Method == "HEAD" || r.Method == "OPTIONS" {
            next.ServeHTTP(w, r)
            return
        }
        // Validate CSRF token on state-changing requests
        cookie, err := r.Cookie("csrf_token")
        if err != nil {
            http.Error(w, `{"error":{"code":"CSRF_ERROR","message":"Missing CSRF token"}}`, http.StatusForbidden)
            return
        }
        headerToken := r.Header.Get("X-CSRF-Token")
        if headerToken == "" || headerToken != cookie.Value {
            http.Error(w, `{"error":{"code":"CSRF_ERROR","message":"Invalid CSRF token"}}`, http.StatusForbidden)
            return
        }
        next.ServeHTTP(w, r)
    })
}

Also set SameSite=Lax on all session cookies:

http.SetCookie(w, &http.Cookie{
    Name:     "session",
    Value:    sessionID,
    HttpOnly: true,
    Secure:   true,           // HTTPS only
    SameSite: http.SameSiteLaxMode,
    Path:     "/",
    MaxAge:   86400,          // 24 hours
})

7. TLS Configuration

WRONG -- using default TLS config or old TLS versions:

http.ListenAndServeTLS(":443", "cert.pem", "key.pem", handler) // Default TLS config allows TLS 1.0

RIGHT -- configure TLS 1.2+ with secure defaults:

import "crypto/tls"

srv := &http.Server{
    Addr:    ":443",
    Handler: handler,
    TLSConfig: &tls.Config{
        MinVersion: tls.VersionTLS12,
        CurvePreferences: []tls.CurveID{
            tls.CurveP256,
            tls.X25519,
        },
        CipherSuites: []uint16{
            tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
            tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
            tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
            tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
        },
    },
}
srv.ListenAndServeTLS("cert.pem", "key.pem")

For development, use http.ListenAndServe (no TLS), but always structure your code so TLS config is easy to enable:

if os.Getenv("TLS_CERT") != "" {
    srv.ListenAndServeTLS(os.Getenv("TLS_CERT"), os.Getenv("TLS_KEY"))
} else {
    srv.ListenAndServe()
}

8. Secrets from Environment

WRONG -- hardcoded secrets:

const jwtSecret = "my-secret-key"    // Hardcoded in source
const dbPassword = "password123"      // Will end up in version control

db, _ := sql.Open("postgres", "postgres://user:password123@localhost/mydb")

RIGHT -- always read secrets from environment variables:

func mustGetEnv(key string) string {
    val := os.Getenv(key)
    if val == "" {
        log.Fatalf("required environment variable %s is not set", key)
    }
    return val
}

// Usage
jwtSecret := mustGetEnv("JWT_SECRET")
dbURL := mustGetEnv("DATABASE_URL")

db, err := sql.Open("postgres", dbURL)

Rules:

NEVER hardcode passwords, API keys, JWT secrets, or database URLs in source code
Use os.Getenv or a config library to read them from the environment
Fail fast at startup if required secrets are missing
Use a .env file for local development (with .env in .gitignore)

9. Graceful Shutdown

WRONG -- hard exit that drops in-flight requests:

log.Fatal(http.ListenAndServe(":8080", handler)) // Ctrl+C kills all connections instantly

RIGHT -- graceful shutdown that drains connections:

import (
    "context"
    "os"
    "os/signal"
    "syscall"
    "time"
)

func main() {
    // ... setup handler ...

    srv := &http.Server{
        Addr:    ":" + getEnvOrDefault("PORT", "8080"),
        Handler: handler,
    }

    // Start server in a goroutine
    go func() {
        log.Printf("Server starting on %s", srv.Addr)
        if err := srv.ListenAndServe(); err != http.ErrServerClosed {
            log.Fatalf("Server error: %v", err)
        }
    }()

    // Wait for shutdown signal
    quit := make(chan os.Signal, 1)
    signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
    <-quit
    log.Println("Shutting down server...")

    // Give in-flight requests time to complete
    ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
    defer cancel()
    if err := srv.Shutdown(ctx); err != nil {
        log.Fatalf("Forced shutdown: %v", err)
    }
    log.Println("Server stopped gracefully")
}

10. Request Timeouts

WRONG -- no timeouts (slow clients can hold connections forever):

srv := &http.Server{Addr: ":8080", Handler: handler}
srv.ListenAndServe() // No timeouts -- Slowloris attacks, resource exhaustion

RIGHT -- set read, write, and idle timeouts on the server:

srv := &http.Server{
    Addr:         ":8080",
    Handler:      handler,
    ReadTimeout:  5 * time.Second,   // Max time to read request headers + body
    WriteTimeout: 10 * time.Second,  // Max time to write response
    IdleTimeout:  120 * time.Second, // Max time for keep-alive connections
}

RIGHT -- per-request context timeout middleware:

func requestTimeout(timeout time.Duration) func(http.Handler) http.Handler {
    return func(next http.Handler) http.Handler {
        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
            ctx, cancel := context.WithTimeout(r.Context(), timeout)
            defer cancel()
            next.ServeHTTP(w, r.WithContext(ctx))
        })
    }
}

// Usage: 30-second timeout per request
handler := requestTimeout(30 * time.Second)(mux)

Pass the context to all downstream calls (database queries, HTTP clients):

row := db.QueryRowContext(r.Context(), "SELECT id, name FROM users WHERE id = $1", id)

Middleware Wiring Order

The order middleware is registered matters. Security middleware MUST come first.

mux := http.NewServeMux()

// Register routes on mux...
mux.HandleFunc("GET /api/tasks", listTasks)
mux.HandleFunc("POST /api/tasks", createTask)
mux.HandleFunc("GET /api/tasks/{id}", getTask)
mux.HandleFunc("PATCH /api/tasks/{id}", updateTask)
mux.HandleFunc("DELETE /api/tasks/{id}", deleteTask)

// Wrap with middleware (outermost runs first):
c := newCORSMiddleware()
handler := recoveryMiddleware(
    securityHeaders(
        c.Handler(
            apiLimiter.Middleware(
                requestTimeout(30*time.Second)(
                    maxBodySize(1<<20)(mux),
                ),
            ),
        ),
    ),
)

srv := &http.Server{
    Addr:         ":" + getEnvOrDefault("PORT", "8080"),
    Handler:      handler,
    ReadTimeout:  5 * time.Second,
    WriteTimeout: 10 * time.Second,
    IdleTimeout:  120 * time.Second,
}

Checklist -- Apply to Every Go HTTP Server

This is not a "production checklist." These belong in every Go HTTP server from the start:

If the task says "build a REST API" or "create CRUD endpoints" and does not mention security, you still add all of the above. Security middleware is not a feature request -- it is part of building a Go HTTP server correctly.

Verifiers

cors-configured -- CORS with rs/cors and explicit origins on every Go HTTP server
security-headers -- Security headers middleware on every Go HTTP server
rate-limiting -- Rate limiting with x/time/rate on every Go HTTP server
input-validation -- Input validation and body size limits on every Go HTTP server
sql-injection-prevention -- Parameterized SQL queries on every Go HTTP server
secrets-from-env -- Secrets from environment variables on every Go HTTP server
graceful-shutdown -- Graceful shutdown on every Go HTTP server
server-timeouts -- Server and request timeouts on every Go HTTP server