tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
1.32x
Quality
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
cors-configured.jsonverifiers/
{
"instruction": "Configure CORS with rs/cors package using explicit allowed origins, not wildcard",
"relevant_when": "Agent creates or modifies a Go HTTP server, adds routes to a Go web service, or sets up a Go API project",
"context": "Go's net/http has no built-in CORS handling. Use the rs/cors package (github.com/rs/cors) with explicit allowed origins from environment variables. Never use cors.AllowAll() or AllowedOrigins: []string{\"*\"} in production. Hand-rolled CORS middleware is error-prone and misses edge cases like preflight caching and credential handling.",
"sources": [
{
"type": "file",
"filename": "skills/go-security-basics/SKILL.md",
"tile": "tessl-labs/go-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "cors-package-used",
"rule": "Agent imports and uses github.com/rs/cors for CORS handling rather than hand-rolling CORS headers",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "cors-not-wildcard",
"rule": "Agent does not use cors.AllowAll() or set AllowedOrigins to []string{\"*\"} in production configuration",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "cors-explicit-origins",
"rule": "Agent configures CORS with specific allowed origins read from environment variables (e.g., os.Getenv(\"ALLOWED_ORIGINS\"))",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "cors-methods-restricted",
"rule": "Agent specifies AllowedMethods with specific HTTP methods rather than allowing all methods",
"relevant_when": "Agent creates or modifies a Go HTTP server"
}
]
}