Name: tessl-labs/go-security-basics
Rating: 89.4 (1 reviews)
Author: tessl-labs

tessl-labs/go-security-basics

Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.

1.32x

Quality

83%

Does it follow best practices?

Impact

99%

1.32x

Average score across 5 eval scenarios

Securityby

Passed

No known issues

{
  "context": "Tests whether the agent adds CSRF protection for cookie-based auth, sets correct cookie security flags, and wires middleware in the correct order (security headers and CORS outermost, rate limiting and timeouts innermost).",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "CSRF middleware present",
      "description": "A CSRF protection middleware exists that validates a token on state-changing requests (POST, PUT, PATCH, DELETE) — not just relying on SameSite alone",
      "max_score": 12
    },
    {
      "name": "CSRF skips safe methods",
      "description": "CSRF middleware does NOT apply token validation to GET, HEAD, or OPTIONS requests",
      "max_score": 8
    },
    {
      "name": "CSRF token comparison",
      "description": "CSRF validation compares a header value (e.g. X-CSRF-Token) against a cookie value, and returns 403 if they don't match or are missing",
      "max_score": 10
    },
    {
      "name": "HttpOnly cookie flag",
      "description": "Session cookie is set with HttpOnly: true",
      "max_score": 8
    },
    {
      "name": "Secure cookie flag",
      "description": "Session cookie is set with Secure: true",
      "max_score": 8
    },
    {
      "name": "SameSite=Lax cookie",
      "description": "Session cookie has SameSite set to http.SameSiteLaxMode (or stricter)",
      "max_score": 10
    },
    {
      "name": "Crypto random session ID",
      "description": "Session ID is generated using crypto/rand (not math/rand or a predictable value like a counter)",
      "max_score": 8
    },
    {
      "name": "Security headers outermost",
      "description": "middleware_diagram.md (or code structure) shows security headers middleware wrapping the entire handler chain — applied before CORS, rate limiting, and route handlers",
      "max_score": 8
    },
    {
      "name": "CORS wraps rate limiter",
      "description": "middleware_diagram.md (or code) shows CORS middleware wrapping the rate limiter and route handlers (not inside the rate limiter)",
      "max_score": 8
    },
    {
      "name": "Body size limit present",
      "description": "A body size limit middleware (http.MaxBytesReader) is included in the middleware chain",
      "max_score": 8
    },
    {
      "name": "TLS env var check",
      "description": "Code includes a conditional that checks for a TLS certificate env variable (TLS_CERT or similar) to enable TLS, rather than hardcoding http vs https",
      "max_score": 12
    }
  ]
}

tessl-labs/go-security-basics

criteria.json.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}evals/scenario-5/

criteria.jsonevals/scenario-5/