Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent implements graceful shutdown with SIGTERM/SIGINT handling and connection draining, sets all three server timeouts (Read, Write, Idle), and adds per-request context timeout middleware with context propagation.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "Signal handling",
      "description": "Code uses signal.Notify with both syscall.SIGTERM and syscall.SIGINT (or os.Interrupt) to catch shutdown signals",
      "max_score": 10
    },
    {
      "name": "srv.Shutdown called",
      "description": "Graceful shutdown is implemented by calling srv.Shutdown(ctx) — NOT by os.Exit, log.Fatal, or simply letting main() return",
      "max_score": 12
    },
    {
      "name": "Shutdown timeout context",
      "description": "The context passed to srv.Shutdown has a timeout (context.WithTimeout) rather than using context.Background() without timeout",
      "max_score": 8
    },
    {
      "name": "Server in goroutine",
      "description": "The server is started in a goroutine (go func() { srv.ListenAndServe() }()) so main can wait for the shutdown signal without blocking",
      "max_score": 8
    },
    {
      "name": "ErrServerClosed handled",
      "description": "The goroutine running ListenAndServe checks that the returned error is not http.ErrServerClosed (i.e. distinguishes normal shutdown from real errors)",
      "max_score": 8
    },
    {
      "name": "ReadTimeout set",
      "description": "http.Server struct has ReadTimeout set to a positive duration",
      "max_score": 8
    },
    {
      "name": "WriteTimeout set",
      "description": "http.Server struct has WriteTimeout set to a positive duration",
      "max_score": 8
    },
    {
      "name": "IdleTimeout set",
      "description": "http.Server struct has IdleTimeout set to a positive duration",
      "max_score": 8
    },
    {
      "name": "Per-request context timeout",
      "description": "A middleware applies context.WithTimeout to each request context before passing to the next handler",
      "max_score": 10
    },
    {
      "name": "Context passed downstream",
      "description": "Handlers or simulated downstream calls use r.Context() (e.g. db.QueryRowContext, http.NewRequestWithContext, or time.Sleep with a select on ctx.Done) rather than context.Background()",
      "max_score": 10
    },
    {
      "name": "Port from environment",
      "description": "The server port is read from an environment variable (with a default fallback like 8080) rather than hardcoded",
      "max_score": 10
    }
  ]
}

tessl-labs/go-security-basics

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-4/

criteria.jsonevals/scenario-4/