Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent uses rs/cors with explicit allowed origins (not a wildcard) and adds all required browser security headers to a Go HTTP server.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "rs/cors package used",
      "description": "The code imports 'github.com/rs/cors' (not a hand-rolled CORS function with w.Header().Set('Access-Control-Allow-Origin'))",
      "max_score": 12
    },
    {
      "name": "No wildcard origins",
      "description": "Does NOT use cors.AllowAll() and does NOT set AllowedOrigins to []string{\"*\"}",
      "max_score": 12
    },
    {
      "name": "Origins from environment",
      "description": "Allowed origins are read from an environment variable (e.g. os.Getenv or strings.Split of an env var) rather than hardcoded strings",
      "max_score": 8
    },
    {
      "name": "MaxAge configured",
      "description": "CORS options struct includes a MaxAge field set to a positive integer (to cache preflight responses)",
      "max_score": 6
    },
    {
      "name": "X-Content-Type-Options header",
      "description": "Security headers middleware sets X-Content-Type-Options: nosniff",
      "max_score": 8
    },
    {
      "name": "X-Frame-Options header",
      "description": "Security headers middleware sets X-Frame-Options: DENY",
      "max_score": 8
    },
    {
      "name": "Referrer-Policy header",
      "description": "Security headers middleware sets Referrer-Policy (any value)",
      "max_score": 6
    },
    {
      "name": "X-XSS-Protection disabled",
      "description": "X-XSS-Protection is set to '0' (not '1' or '1; mode=block')",
      "max_score": 8
    },
    {
      "name": "Content-Security-Policy header",
      "description": "Security headers middleware sets Content-Security-Policy",
      "max_score": 8
    },
    {
      "name": "HSTS conditional on TLS",
      "description": "Strict-Transport-Security header is only set inside a conditional that checks r.TLS != nil (not set unconditionally)",
      "max_score": 8
    },
    {
      "name": "Permissions-Policy header",
      "description": "Security headers middleware sets Permissions-Policy",
      "max_score": 6
    },
    {
      "name": "Middleware as dedicated function",
      "description": "Security headers are applied via a dedicated middleware function (not inline inside route handlers)",
      "max_score": 10
    }
  ]
}

tessl-labs/go-security-basics

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-1/

criteria.jsonevals/scenario-1/