Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent uses golang.org/x/time/rate for per-IP rate limiting, implements visitor cleanup, and applies stricter limits to auth endpoints compared to general API endpoints.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "x/time/rate package",
      "description": "The code imports 'golang.org/x/time/rate' (not a custom token bucket or third-party rate limiting library)",
      "max_score": 12
    },
    {
      "name": "Per-IP tracking",
      "description": "Rate limiting is per client IP address: the code extracts the client IP from r.RemoteAddr and maintains a per-IP state structure (e.g. a map of visitors)",
      "max_score": 10
    },
    {
      "name": "Port stripped from IP",
      "description": "The IP extraction strips the port from r.RemoteAddr using net.SplitHostPort or equivalent before using it as the map key",
      "max_score": 8
    },
    {
      "name": "Visitor cleanup goroutine",
      "description": "A background goroutine or ticker periodically removes stale visitor entries (visitors not seen for some duration) to prevent unbounded memory growth",
      "max_score": 10
    },
    {
      "name": "Separate auth limiter",
      "description": "Auth endpoints (/api/auth/login, /api/auth/register) use a separate, more restrictive rate limiter instance than the general API limiter",
      "max_score": 14
    },
    {
      "name": "Auth rate strictly lower",
      "description": "The numeric rate configured for auth endpoints is strictly lower than the rate for general API endpoints (e.g. 10 req/min auth vs 100 req/min general)",
      "max_score": 10
    },
    {
      "name": "429 with Retry-After",
      "description": "When rate limited, responds with HTTP 429 and sets the Retry-After response header",
      "max_score": 10
    },
    {
      "name": "Sync.Mutex for visitor map",
      "description": "The visitor map is protected by a sync.Mutex (or equivalent) to prevent concurrent map access panics",
      "max_score": 8
    },
    {
      "name": "Limiter as middleware",
      "description": "Rate limiting is implemented as an http.Handler middleware (not inline in each route handler)",
      "max_score": 10
    },
    {
      "name": "lastSeen tracking",
      "description": "Each visitor entry records a lastSeen timestamp that is updated on every request, used by the cleanup routine",
      "max_score": 8
    }
  ]
}

tessl-labs/go-security-basics

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-2/

criteria.jsonevals/scenario-2/