tessl-labs/go-security-basics
Security defaults that belong in every Go HTTP server from day one — CORS, security headers, rate limiting, SQL injection prevention, input validation, secrets management, graceful shutdown, and request timeouts.
89
1.32x
Quality
83%
Does it follow best practices?
Impact
99%
1.32xAverage score across 5 eval scenarios
Securityby
Passed
No known issues
server-timeouts.jsonverifiers/
{
"instruction": "Set ReadTimeout, WriteTimeout, and IdleTimeout on the HTTP server",
"relevant_when": "Agent creates or modifies a Go HTTP server, sets up a Go API project, or configures http.Server",
"context": "Go's default http.Server has no timeouts -- clients can hold connections open indefinitely, enabling Slowloris attacks and resource exhaustion. Always set ReadTimeout (max time to read request), WriteTimeout (max time to write response), and IdleTimeout (max time for keep-alive connections) on the http.Server struct. Additionally, use context timeouts in handlers and pass r.Context() to downstream calls.",
"sources": [
{
"type": "file",
"filename": "skills/go-security-basics/SKILL.md",
"tile": "tessl-labs/go-security-basics@0.2.0"
}
],
"checklist": [
{
"name": "server-timeouts-set",
"rule": "Agent sets ReadTimeout, WriteTimeout, and IdleTimeout on the http.Server struct rather than using zero-value defaults",
"relevant_when": "Agent creates or modifies a Go HTTP server"
},
{
"name": "explicit-server-struct",
"rule": "Agent creates an explicit http.Server struct with timeout fields rather than calling http.ListenAndServe directly with no server configuration",
"relevant_when": "Agent creates or modifies a Go HTTP server"
}
]
}