CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

89

1.32x
Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

SecuritybySnyk

Passed

No known issues

Overview
Quality
Evals
Security
Files

Evaluation results

100%

37%

Cross-Origin API for a React Dashboard

CORS and security headers middleware

Criteria
Without context
With context

rs/cors package used

0%

100%

No wildcard origins

100%

100%

Origins from environment

100%

100%

MaxAge configured

50%

100%

X-Content-Type-Options header

100%

100%

X-Frame-Options header

100%

100%

Referrer-Policy header

100%

100%

X-XSS-Protection disabled

0%

100%

Content-Security-Policy header

100%

100%

HSTS conditional on TLS

0%

100%

Permissions-Policy header

0%

100%

Middleware as dedicated function

100%

100%

100%

29%

Protecting a Go API from Abuse and Brute Force

Rate limiting with tiered auth protection

Criteria
Without context
With context

x/time/rate package

0%

100%

Per-IP tracking

100%

100%

Port stripped from IP

100%

100%

Visitor cleanup goroutine

60%

100%

Separate auth limiter

100%

100%

Auth rate strictly lower

100%

100%

429 with Retry-After

50%

100%

Sync.Mutex for visitor map

100%

100%

Limiter as middleware

100%

100%

lastSeen tracking

0%

100%

97%

9%

Task Manager API with Database Backend

SQL injection prevention and secrets management

Criteria
Without context
With context

Parameterized queries used

100%

100%

No fmt.Sprintf in SQL

100%

70%

ORDER BY whitelisted

100%

100%

Path param validated

75%

100%

No hardcoded secrets

100%

100%

Secrets via os.Getenv

100%

100%

Fail-fast on missing secrets

100%

100%

.env.example present

100%

100%

Body field validation

100%

100%

Body size limited

0%

100%

100%

10%

Reliable Go HTTP Service for a Kubernetes Deployment

Graceful shutdown and request timeouts

Criteria
Without context
With context

Signal handling

100%

100%

srv.Shutdown called

100%

100%

Shutdown timeout context

100%

100%

Server in goroutine

100%

100%

ErrServerClosed handled

100%

100%

ReadTimeout set

100%

100%

WriteTimeout set

100%

100%

IdleTimeout set

100%

100%

Per-request context timeout

0%

100%

Context passed downstream

100%

100%

Port from environment

100%

100%

98%

34%

Session-Based Authentication API

Cookie-based auth security and middleware ordering

Criteria
Without context
With context

CSRF middleware present

100%

100%

CSRF skips safe methods

100%

100%

CSRF token comparison

100%

100%

HttpOnly cookie flag

100%

100%

Secure cookie flag

100%

75%

SameSite=Lax cookie

100%

100%

Crypto random session ID

100%

100%

Security headers outermost

0%

100%

CORS wraps rate limiter

0%

100%

Body size limit present

0%

100%

TLS env var check

0%

100%

Evaluated
Agent
Claude Code
Model
Claude Sonnet 4.6

Table of Contents

Cross-Origin API for a React DashboardProtecting a Go API from Abuse and Brute ForceTask Manager API with Database BackendReliable Go HTTP Service for a Kubernetes DeploymentSession-Based Authentication API