tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
1.32x
Quality
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
input-validation.jsonverifiers/
{
"instruction": "Validate all user input and limit request body size",
"relevant_when": "Agent creates or modifies a Go HTTP server, adds route handlers, or processes user input in Go",
"context": "Every Go HTTP handler that reads user input must validate it before use. Path parameters must be parsed and type-checked (e.g., strconv.Atoi for numeric IDs). Request bodies must be decoded and validated for required fields and length limits. Use http.MaxBytesReader to limit request body size and prevent resource exhaustion.",
"sources": [
{
"type": "file",
"filename": "skills/go-security-basics/SKILL.md",
"tile": "tessl-labs/go-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "body-size-limited",
"rule": "Agent uses http.MaxBytesReader to limit request body size rather than reading unlimited input",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "path-params-validated",
"rule": "Agent validates path parameters (e.g., using strconv.Atoi for numeric IDs) and returns 400 for invalid values rather than passing unvalidated input to database queries",
"relevant_when": "Agent creates route handlers that use path parameters"
},
{
"name": "required-fields-checked",
"rule": "Agent checks required fields in request bodies are present and non-empty, returning 400 with a descriptive error for missing fields",
"relevant_when": "Agent creates POST or PATCH route handlers"
}
]
}