tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
1.32x
Quality
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
security-headers.jsonverifiers/
{
"instruction": "Add security headers middleware that sets X-Content-Type-Options, X-Frame-Options, and Referrer-Policy",
"relevant_when": "Agent creates or modifies a Go HTTP server, adds routes to a Go web service, or sets up a Go API project",
"context": "Go's net/http sets no security headers by default. Every Go HTTP server must include middleware that sets X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and Referrer-Policy. These headers prevent MIME-type sniffing, clickjacking, and referrer leakage. The middleware must be registered before route handlers.",
"sources": [
{
"type": "file",
"filename": "skills/go-security-basics/SKILL.md",
"tile": "tessl-labs/go-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "security-headers-middleware",
"rule": "Agent creates middleware that sets X-Content-Type-Options: nosniff and X-Frame-Options: DENY headers on all responses",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "referrer-policy-set",
"rule": "Agent sets Referrer-Policy header (strict-origin-when-cross-origin or no-referrer) in security headers middleware",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "headers-before-routes",
"rule": "Agent registers security headers middleware before route handlers in the middleware chain, not after",
"relevant_when": "Agent creates or modifies a Go HTTP server"
}
]
}