tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
1.32x
Quality
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
rate-limiting.jsonverifiers/
{
"instruction": "Add per-IP rate limiting using golang.org/x/time/rate to all API endpoints",
"relevant_when": "Agent creates or modifies a Go HTTP server, adds routes to a Go web service, or sets up a Go API project",
"context": "Every Go HTTP server must have rate limiting to prevent brute force attacks and abuse. Use golang.org/x/time/rate for per-IP rate limiting. Apply a general rate limit on all API routes and stricter limits on auth and mutation endpoints. Include cleanup of stale visitor entries to prevent memory leaks.",
"sources": [
{
"type": "file",
"filename": "skills/go-security-basics/SKILL.md",
"tile": "tessl-labs/go-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "rate-limiter-package",
"rule": "Agent imports golang.org/x/time/rate for rate limiting",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "rate-limit-middleware",
"rule": "Agent applies rate limiting middleware to API routes that returns HTTP 429 when the limit is exceeded",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "per-ip-tracking",
"rule": "Agent implements per-IP rate limiting (not global) by tracking visitors based on their IP address",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "auth-rate-limit-stricter",
"rule": "Agent applies a stricter rate limit to authentication endpoints (login, register) with lower request limits than the general API limiter",
"relevant_when": "Agent creates authentication routes in a Go HTTP server"
}
]
}