Introduction
As Go continues to gain popularity for building web services, APIs, and cloud-native applications, the security implications of Go code are becoming increasingly important. While Go provides many built-in features that help developers write more secure code—such as strong typing, memory safety, and garbage collection—there are still numerous security pitfalls that can lead to vulnerabilities.
Over the past several years, I've conducted security reviews for numerous Go applications and microservices, uncovering common patterns that lead to security issues. In this article, I'll share practical secure coding practices for Go developers, covering common vulnerabilities, security-focused code patterns, authentication and authorization best practices, and approaches for managing sensitive data.
Common Vulnerabilities in Go Applications
Let's start by examining some of the most common security vulnerabilities in Go applications and how to prevent them.
1. SQL Injection
SQL injection remains one of the most prevalent security vulnerabilities in web applications. In Go, this typically occurs when concatenating user input directly into SQL queries:
// Vulnerable code func GetUserByUsername(db *sql.DB, username string) (*User, error) { query := "SELECT id, username, email FROM users WHERE username = '" + username + "'" row := db.QueryRow(query) // ... }
The secure approach is to use parameterized queries:
// Secure code func GetUserByUsername(db *sql.DB, username string) (*User, error) { query := "SELECT id, username, email FROM users WHERE username = ?" row := db.QueryRow(query, username)
var user User
err := row.Scan(&user.ID, &user.Username, &user.Email)
if err != nil {
if err == sql.ErrNoRows {
return nil, ErrUserNotFound
}
return nil, err
}
return &user, nil
}
When using an ORM like GORM, ensure you're not bypassing its security features:
// Vulnerable GORM code func GetUsersByRole(role string) ([]User, error) { var users []User result := db.Where("role = '" + role + "'").Find(&users) return users, result.Error }
// Secure GORM code func GetUsersByRole(role string) ([]User, error) { var users []User result := db.Where("role = ?", role).Find(&users) return users, result.Error }
2. Cross-Site Scripting (XSS)
XSS vulnerabilities occur when untrusted data is included in a web page without proper validation or escaping. In Go web applications, this often happens in HTML templates:
// Vulnerable template usage func handleUserProfile(w http.ResponseWriter, r *http.Request) { username := r.URL.Query().Get("username") fmt.Fprintf(w, "<h1>Profile for %s</h1>", username) // ... }
Go's html/template package automatically escapes content for safe HTML rendering:
// Secure template usage import "html/template"
func handleUserProfile(w http.ResponseWriter, r *http.Request) { username := r.URL.Query().Get("username")
tmpl, err := template.New("profile").Parse("<h1>Profile for {{.Username}}</h1>")
if err != nil {
http.Error(w, "Template error", http.StatusInternalServerError)
return
}
data := struct {
Username string
}{
Username: username,
}
tmpl.Execute(w, data)
}
Be careful when using the template.HTML type, as it bypasses automatic escaping:
// Risky code that bypasses escaping userBio := template.HTML(userInput) // Dangerous if userInput is untrusted
3. Cross-Site Request Forgery (CSRF)
CSRF attacks trick users into performing unwanted actions on a site where they're authenticated. To prevent CSRF in Go web applications, use tokens:
import ( "github.com/gorilla/csrf" "github.com/gorilla/mux" )
func main() { r := mux.NewRouter()
// Add routes...
// Wrap the router with CSRF protection
csrfMiddleware := csrf.Protect(
[]byte("32-byte-long-auth-key"),
csrf.Secure(true),
csrf.HttpOnly(true),
)
http.ListenAndServe(":8000", csrfMiddleware(r))
}
In your HTML templates, include the CSRF token in forms:
<form action="/api/update-profile" method="POST"> {{ .csrfField }} <input type="text" name="name" value="{{ .user.Name }}"> <button type="submit">Update Profile</button> </form>4. Insecure Direct Object References (IDOR)
IDOR vulnerabilities occur when an application exposes a reference to an internal object without proper access control:
// Vulnerable code func handleGetDocument(w http.ResponseWriter, r *http.Request) { documentID := r.URL.Query().Get("id")
// No authorization check!
document, err := db.GetDocument(documentID)
if err != nil {
http.Error(w, "Document not found", http.StatusNotFound)
return
}
json.NewEncoder(w).Encode(document)
}
The secure approach includes authorization checks:
// Secure code func handleGetDocument(w http.ResponseWriter, r *http.Request) { documentID := r.URL.Query().Get("id") userID := getUserIDFromContext(r.Context())
// First, get the document
document, err := db.GetDocument(documentID)
if err != nil {
http.Error(w, "Document not found", http.StatusNotFound)
return
}
// Then check if the user has permission to access it
if !document.IsPublic && document.OwnerID != userID && !userHasAdminAccess(r.Context()) {
http.Error(w, "Unauthorized", http.StatusForbidden)
return
}
json.NewEncoder(w).Encode(document)
}
5. Path Traversal
Path traversal vulnerabilities allow attackers to access files outside of intended directories:
// Vulnerable code func handleGetFile(w http.ResponseWriter, r *http.Request) { filename := r.URL.Query().Get("filename") data, err := ioutil.ReadFile("./data/" + filename) // ... }
To prevent path traversal, validate and sanitize filenames:
import ( "path/filepath" "strings" )
func handleGetFile(w http.ResponseWriter, r *http.Request) { filename := r.URL.Query().Get("filename")
// Sanitize the filename
if strings.Contains(filename, "..") {
http.Error(w, "Invalid filename", http.StatusBadRequest)
return
}
// Use filepath.Join to create a proper path
path := filepath.Join("./data", filename)
// Ensure the resulting path is still within the intended directory
absPath, err := filepath.Abs(path)
if err != nil {
http.Error(w, "Invalid path", http.StatusInternalServerError)
return
}
dataDir, err := filepath.Abs("./data")
if err != nil {
http.Error(w, "Server error", http.StatusInternalServerError)
return
}
if !strings.HasPrefix(absPath, dataDir) {
http.Error(w, "Invalid path", http.StatusBadRequest)
return
}
// Now it's safe to read the file
data, err := ioutil.ReadFile(path)
// ...
}
Secure Coding Patterns in Go
Beyond avoiding specific vulnerabilities, there are coding patterns that promote security in Go applications.
Input Validation
Always validate user input before processing it:
import ( "regexp" "unicode/utf8" )
func validateUsername(username string) error { if utf8.RuneCountInString(username) < 3 || utf8.RuneCountInString(username) > 30 { return errors.New("username must be between 3 and 30 characters") }
// Only allow alphanumeric characters and underscores
valid := regexp.MustCompile(`^[a-zA-Z0-9_]+$`).MatchString(username)
if !valid {
return errors.New("username can only contain letters, numbers, and underscores")
}
return nil
}
For more complex validation, consider using a validation library like go-playground/validator:
import "github.com/go-playground/validator/v10"
type User struct {
Username string validate:"required,alphanum,min=3,max=30"
Email string validate:"required,email"
Age int validate:"gte=18,lte=120"
}
func validateUser(user User) error { validate := validator.New() return validate.Struct(user) }
Safe Deserialization
When deserializing JSON or other formats, be cautious about untrusted data:
// Limit the size of request bodies func limitBodySize(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, 1048576) // 1MB limit next.ServeHTTP(w, r) }) }
// Validate JSON structure func decodeJSONBody(w http.ResponseWriter, r *http.Request, dst interface{}) error { decoder := json.NewDecoder(r.Body) decoder.DisallowUnknownFields() // Reject JSON with unknown fields
if err := decoder.Decode(dst); err != nil {
return err
}
// Ensure there's no additional data
if decoder.More() {
return errors.New("request body must only contain a single JSON object")
}
return nil
}
Context Timeouts
Use context timeouts to prevent long-running operations that could lead to resource exhaustion:
func handleRequest(w http.ResponseWriter, r http.Request) { // Create a context with a timeout ctx, cancel := context.WithTimeout(r.Context(), 5time.Second) defer cancel()
// Use the context for database operations
result, err := executeQuery(ctx, query)
if err != nil {
if errors.Is(err, context.DeadlineExceeded) {
http.Error(w, "Request timed out", http.StatusGatewayTimeout)
return
}
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
// Process result...
}
Defense in Depth for Handlers
Implement multiple layers of protection in your HTTP handlers:
func secureHandler(w http.ResponseWriter, r *http.Request) { // 1. Validate request method if r.Method != http.MethodPost { http.Error(w, "Method not allowed", http.StatusMethodNotAllowed) return }
// 2. Validate Content-Type
contentType := r.Header.Get("Content-Type")
if contentType != "application/json" {
http.Error(w, "Unsupported content type", http.StatusUnsupportedMediaType)
return
}
// 3. Parse and validate input
var input UserInput
if err := decodeJSONBody(w, r, &input); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
if err := validateUserInput(input); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
// 4. Check authorization
userID := getUserIDFromContext(r.Context())
if !isAuthorized(userID, r.URL.Path) {
http.Error(w, "Unauthorized", http.StatusForbidden)
return
}
// 5. Process the request with context timeout
ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
defer cancel()
result, err := processSecureOperation(ctx, input)
if err != nil {
handleError(w, err)
return
}
// 6. Return a successful response
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(result)
}
Authentication and Authorization
Secure authentication and authorization are critical components of application security.
Password Handling
Never store passwords in plain text. Use a strong, slow hashing algorithm with salting:
import "golang.org/x/crypto/bcrypt"
func hashPassword(password string) (string, error) { // Cost factor of 12 is a good balance between security and performance as of 2019 bytes, err := bcrypt.GenerateFromPassword([]byte(password), 12) return string(bytes), err }
func checkPasswordHash(password, hash string) bool { err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) return err == nil }
JWT Authentication
If using JSON Web Tokens (JWT) for authentication, follow these best practices:
import ( "time"
"github.com/golang-jwt/jwt/v4"
)
// Secret key for signing tokens - in production, this should be stored securely var jwtKey = []byte("your-secure-key")
type Claims struct {
UserID int64 json:"user_id"
Role string json:"role"
jwt.RegisteredClaims
}
func generateToken(userID int64, role string) (string, error) { // Set expiration time expirationTime := time.Now().Add(24 * time.Hour)
// Create claims with user data
claims := &Claims{
UserID: userID,
Role: role,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expirationTime),
IssuedAt: jwt.NewNumericDate(time.Now()),
NotBefore: jwt.NewNumericDate(time.Now()),
Issuer: "your-service-name",
Subject: fmt.Sprintf("%d", userID),
},
}
// Create token with claims
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
// Sign the token
return token.SignedString(jwtKey)
}
func validateToken(tokenString string) (*Claims, error) { claims := &Claims{}
// Parse the token
token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
// Validate signing method
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return jwtKey, nil
})
if err != nil {
return nil, err
}
if !token.Valid {
return nil, errors.New("invalid token")
}
return claims, nil
}
Role-Based Access Control (RBAC)
Implement proper authorization checks based on user roles:
type Permission string
const ( PermissionReadUser Permission = "read:user" PermissionWriteUser Permission = "write:user" PermissionDeleteUser Permission = "delete:user" PermissionReadAdmin Permission = "read:admin" PermissionWriteAdmin Permission = "write:admin" )
var rolePermissions = map[string][]Permission{ "user": { PermissionReadUser, }, "editor": { PermissionReadUser, PermissionWriteUser, }, "admin": { PermissionReadUser, PermissionWriteUser, PermissionDeleteUser, PermissionReadAdmin, PermissionWriteAdmin, }, }
func hasPermission(role string, permission Permission) bool { permissions, exists := rolePermissions[role] if !exists { return false }
for _, p := range permissions {
if p == permission {
return true
}
}
return false
}
func authorizationMiddleware(permission Permission) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { claims, ok := r.Context().Value("claims").(*Claims) if !ok { http.Error(w, "Unauthorized", http.StatusUnauthorized) return }
if !hasPermission(claims.Role, permission) {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
next.ServeHTTP(w, r)
})
}
}
Secure Management of Sensitive Data
Handling sensitive data requires special attention to prevent data breaches.
Environment Variables for Secrets
Store sensitive configuration in environment variables, not in code:
import ( "os"
"github.com/joho/godotenv"
)
func loadConfig() Config { // Load .env file if it exists godotenv.Load()
return Config{
DatabaseURL: os.Getenv("DATABASE_URL"),
JWTSecret: os.Getenv("JWT_SECRET"),
APIKey: os.Getenv("API_KEY"),
EncryptionKey: os.Getenv("ENCRYPTION_KEY"),
}
}
Encryption of Sensitive Data
Use encryption for sensitive data stored in databases:
import ( "crypto/aes" "crypto/cipher" "crypto/rand" "encoding/base64" "io" )
func encrypt(plaintext string, key []byte) (string, error) { // Create a new cipher block from the key block, err := aes.NewCipher(key) if err != nil { return "", err }
// Create a GCM mode cipher
gcm, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
// Create a nonce
nonce := make([]byte, gcm.NonceSize())
if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
return "", err
}
// Encrypt and authenticate the plaintext
ciphertext := gcm.Seal(nonce, nonce, []byte(plaintext), nil)
// Return base64-encoded ciphertext
return base64.StdEncoding.EncodeToString(ciphertext), nil
}
func decrypt(ciphertext string, key []byte) (string, error) { // Decode from base64 data, err := base64.StdEncoding.DecodeString(ciphertext) if err != nil { return "", err }
// Create a new cipher block from the key
block, err := aes.NewCipher(key)
if err != nil {
return "", err
}
// Create a GCM mode cipher
gcm, err := cipher.NewGCM(block)
if err != nil {
return "", err
}
// Extract the nonce
nonceSize := gcm.NonceSize()
if len(data) < nonceSize {
return "", errors.New("ciphertext too short")
}
nonce, ciphertextBytes := data[:nonceSize], data[nonceSize:]
// Decrypt and authenticate
plaintextBytes, err := gcm.Open(nil, nonce, ciphertextBytes, nil)
if err != nil {
return "", err
}
return string(plaintextBytes), nil
}
Sanitizing Logs and Error Messages
Prevent leaking sensitive information in logs and error messages:
func processPayment(payment *Payment) error { // Sanitize credit card number for logging sanitizedCardNumber := sanitizeCreditCard(payment.CardNumber)
log.Info().
Str("user_id", payment.UserID).
Str("payment_method", payment.Method).
Str("card_number", sanitizedCardNumber). // Only log last 4 digits
Float64("amount", payment.Amount).
Msg("Processing payment")
// Process payment...
return nil
}
func sanitizeCreditCard(cardNumber string) string { if len(cardNumber) <= 4 { return "****" }
lastFour := cardNumber[len(cardNumber)-4:]
return strings.Repeat("*", len(cardNumber)-4) + lastFour
}
Secure Headers
Set secure HTTP headers to protect against common attacks:
func securityHeadersMiddleware(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // Content Security Policy w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'")
// Prevent MIME type sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
// Protect against clickjacking
w.Header().Set("X-Frame-Options", "DENY")
// Enable browser XSS protection
w.Header().Set("X-XSS-Protection", "1; mode=block")
// Don't cache sensitive information
w.Header().Set("Cache-Control", "no-store, no-cache, must-revalidate, max-age=0")
w.Header().Set("Pragma", "no-cache")
// Strict Transport Security
w.Header().Set("Strict-Transport-Security", "max-age=31536000; includeSubDomains")
next.ServeHTTP(w, r)
})
}
Dependency Management and Vulnerabilities
Managing third-party dependencies is a critical aspect of security.
Vulnerability Scanning
Regularly scan dependencies for known vulnerabilities:
// Use go list -m all to check all dependencies
// Use go mod why [package] to understand why a dependency is included
// Use go mod tidy to remove unused dependencies
// Install and use Nancy for vulnerability scanning: // go list -m all | nancy sleuth
// Or use govulncheck: // go install golang.org/x/vuln/cmd/govulncheck@latest // govulncheck ./...
Vendoring and Version Pinning
Pin dependency versions and consider vendoring critical dependencies:
// Use go.mod to pin versions module github.com/yourusername/yourproject
go 1.13
require ( github.com/example/package1 v1.2.3 github.com/example/package2 v2.3.4 )
// Vendor dependencies for sensitive projects // go mod vendor
Minimal Dependencies
Be selective about adding dependencies:
// Before adding a dependency, consider: // 1. Is the functionality simple enough to implement yourself? // 2. Is the library actively maintained? // 3. Has it been audited for security? // 4. How widely used is it in the community? // 5. Does it have a clear security policy and vulnerability reporting process?
Security Testing
Regular security testing helps identify vulnerabilities before they reach production.
Static Analysis Tools
Use static analysis tools to detect security issues:
// Install static analysis tools // go install golang.org/x/tools/cmd/staticcheck@latest // go install github.com/securego/gosec/v2/cmd/gosec@latest
// Run staticcheck for general code quality issues // staticcheck ./...
// Run gosec for security-specific checks // gosec ./...
Security Unit Tests
Write tests that specifically verify security properties:
func TestSQLInjectionPrevention(t *testing.T) { db, mock, err := sqlmock.New() if err != nil { t.Fatalf("Error creating mock database: %v", err) } defer db.Close()
// Setup expected query with a parameter placeholder
mock.ExpectQuery("SELECT id, username, email FROM users WHERE username = ?").
WithArgs("user' OR '1'='1").
WillReturnRows(sqlmock.NewRows([]string{"id", "username", "email"}))
// Try a malicious username
_, err = GetUserByUsername(db, "user' OR '1'='1")
// We expect no rows to be found, not SQL injection to succeed
if err == nil {
t.Error("Expected error, but got nil - possible SQL injection vulnerability")
}
// Verify that all expectations were met
if err := mock.ExpectationsWereMet(); err != nil {
t.Errorf("Unfulfilled expectations: %s", err)
}
}
Penetration Testing
Conduct regular penetration testing on your applications, either manually or using automated tools:
// Common areas to test: // 1. Authentication and session management // 2. Access control // 3. Input validation // 4. Error handling // 5. Data protection // 6. API security
Real-World Example: Securing a Go Microservice
Let's walk through a practical example of securing a Go microservice for user management:
1. Security Requirements
- Protect against common web vulnerabilities (OWASP Top 10)
- Secure user authentication with JWT
- Role-based access control
- Encryption of sensitive user data
- Secure password storage with bcrypt
- Protection against brute force attacks
- Comprehensive audit logging
2. Secure Project Structure
/user-service
/cmd
/server
main.go # Entry point
/internal
/auth
jwt.go # JWT implementation
middleware.go # Auth middleware
rbac.go # Role-based access control
/config
config.go # Configuration management
/encryption
encryption.go # Data encryption utilities
/models
user.go # User model
/repository
user_repository.go # Data access layer
/server
server.go # HTTP server setup
middleware.go # Security middleware
/service
user_service.go # Business logic
/pkg
/validator
validator.go # Input validation
/sanitize
sanitize.go # Output sanitization
go.mod
go.sum
3. Implementing Security Measures
User model with encrypted fields:
// internal/models/user.go
type User struct {
ID string json:"id"
Username string json:"username"
Email string json:"email"
PasswordHash string json:"-" // Never expose in JSON
Role string json:"role"
MFAEnabled bool json:"mfa_enabled"
PhoneNumber string json:"-" // Stored encrypted
EncryptedPhone string json:"-" // Encrypted version stored in DB
LastLogin time.Time json:"last_login"
FailedAttempts int json:"-"
Locked bool json:"locked"
Created time.Time json:"created"
Updated time.Time json:"updated"
}
Security middleware chain:
// internal/server/server.go func setupRouter(cfg *config.Config, userService *service.UserService) *chi.Mux { r := chi.NewRouter()
// Middleware for all routes
r.Use(middleware.RequestID)
r.Use(middleware.RealIP)
r.Use(middleware.Logger)
r.Use(middleware.Recoverer)
r.Use(middleware.Timeout(30 * time.Second))
r.Use(securityMiddleware)
r.Use(limitBodySize(1024 * 1024)) // 1MB limit
// Public routes
r.Group(func(r chi.Router) {
r.Post("/login", handleLogin(userService))
r.Post("/register", handleRegister(userService))
})
// Protected routes
r.Group(func(r chi.Router) {
r.Use(auth.JWTMiddleware(cfg.JWTSecret))
// User routes - require authenticated user
r.Route("/users", func(r chi.Router) {
r.Get("/me", handleGetCurrentUser(userService))
// Admin routes - require admin role
r.Group(func(r chi.Router) {
r.Use(auth.RoleMiddleware("admin"))
r.Get("/", handleListUsers(userService))
r.Get("/{id}", handleGetUser(userService))
r.Put("/{id}", handleUpdateUser(userService))
r.Delete("/{id}", handleDeleteUser(userService))
})
})
})
return r
}
Request validation and secure processing:
// internal/service/user_service.go func (s *UserService) Register(ctx context.Context, input RegisterInput) (*User, error) { // Validate input if err := validator.ValidateRegisterInput(input); err != nil { return nil, err }
// Check if username already exists
existing, err := s.repo.GetByUsername(ctx, input.Username)
if err != nil && !errors.Is(err, repository.ErrNotFound) {
return nil, err
}
if existing != nil {
return nil, ErrUsernameExists
}
// Check if email already exists
existing, err = s.repo.GetByEmail(ctx, input.Email)
if err != nil && !errors.Is(err, repository.ErrNotFound) {
return nil, err
}
if existing != nil {
return nil, ErrEmailExists
}
// Hash password
passwordHash, err := auth.HashPassword(input.Password)
if err != nil {
return nil, err
}
// Encrypt sensitive fields
encryptedPhone, err := s.encryption.Encrypt(input.PhoneNumber)
if err != nil {
return nil, err
}
// Create user with secure defaults
user := &models.User{
ID: uuid.New().String(),
Username: input.Username,
Email: input.Email,
PasswordHash: passwordHash,
Role: "user", // Default role
MFAEnabled: false,
PhoneNumber: "", // Don't store plaintext
EncryptedPhone: encryptedPhone,
Created: time.Now(),
Updated: time.Now(),
}
// Save to database
if err := s.repo.Create(ctx, user); err != nil {
return nil, err
}
// Audit log
s.auditLogger.Log(ctx, &audit.Event{
Action: "user.register",
Resource: "user",
ResourceID: user.ID,
Username: user.Username,
})
return user, nil
}
Rate limiting and brute force protection:
// internal/auth/rate_limiter.go type RateLimiter struct { attempts map[string][]time.Time mu sync.Mutex window time.Duration limit int }
func NewRateLimiter(window time.Duration, limit int) *RateLimiter { return &RateLimiter{ attempts: make(map[string][]time.Time), window: window, limit: limit, } }
func (r *RateLimiter) Allow(key string) bool { r.mu.Lock() defer r.mu.Unlock()
now := time.Now()
windowStart := now.Add(-r.window)
// Get attempts within the window
var validAttempts []time.Time
for _, t := range r.attempts[key] {
if t.After(windowStart) {
validAttempts = append(validAttempts, t)
}
}
// Update attempts
r.attempts[key] = append(validAttempts, now)
// Check if limit exceeded
return len(r.attempts[key]) <= r.limit
}
// Use rate limiter in login handler func handleLogin(userService *service.UserService, limiter *RateLimiter) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { var input LoginInput if err := json.NewDecoder(r.Body).Decode(&input); err != nil { http.Error(w, "Invalid request body", http.StatusBadRequest) return }
// Rate limit by IP address
clientIP := r.RemoteAddr
if !limiter.Allow(clientIP) {
http.Error(w, "Too many login attempts", http.StatusTooManyRequests)
return
}
// Rate limit by username to prevent account enumeration
if !limiter.Allow("username:" + input.Username) {
http.Error(w, "Too many login attempts", http.StatusTooManyRequests)
return
}
// Validate, authenticate, and return JWT...
}
}
4. Security Configuration
# config.yaml
server:
port: 8080
timeout: 30s
read_header_timeout: 10s
idle_timeout: 120s
security:
# Use environment variables for sensitive config
jwt_secret: ${JWT_SECRET}
encryption_key: ${ENCRYPTION_KEY}
# Security headers
content_security_policy: "default-src 'self'; script-src 'self'"
hsts_max_age: 31536000
# Rate limiting
login_rate_limit_window: 10m
login_rate_limit_attempts: 5
# Password policy
password_min_length: 10
password_require_uppercase: true
password_require_lowercase: true
password_require_number: true
password_require_special: true
# Session configuration
session_duration: 24h
refresh_token_duration: 30d
5. Security Verification
Regular scanning for vulnerabilities:
// security_scan.sh #!/bin/bash set -e
echo "Running security checks..."
echo "1. Checking for outdated dependencies..." go list -m all | nancy sleuth
echo "2. Running static analysis..." staticcheck ./...
echo "3. Running security linter..." gosec ./...
echo "4. Running tests with race detection..." go test -race ./...
echo "5. Scanning Docker image for vulnerabilities..." docker build -t user-service:latest . trivy image user-service:latest
echo "Security checks completed."
Security Checklist for Go Web Services
As a final practical tool, here's a security checklist for your Go web applications:
Input Validation
- [ ] All user input is validated, sanitized, and constrained
- [ ] Structured validation for all inputs with clear error messages
- [ ] Input size limits enforced on all fields
- [ ] Content type validation for all endpoints
Authentication & Authorization
- [ ] Strong password hashing with bcrypt/Argon2
- [ ] Multi-factor authentication option
- [ ] Secure session management
- [ ] Proper JWT implementation with expiration
- [ ] Role-based access control with principle of least privilege
- [ ] Rate limiting on authentication endpoints
- [ ] Account lockout after failed attempts
Data Protection
- [ ] Sensitive data encrypted at rest
- [ ] TLS for all communications
- [ ] Secure headers configured
- [ ] No sensitive data in logs
- [ ] No sensitive data in error messages
- [ ] Proper handling of secrets (no hardcoding)
Database Security
- [ ] Parameterized queries for all database operations
- [ ] Limited database user permissions
- [ ] Input validation before database operations
- [ ] No sensitive data in queries
Dependency Management
- [ ] Regular dependency security scanning
- [ ] Minimal dependencies
- [ ] Version pinning for all dependencies
- [ ] CI pipeline with security checks
Error Handling & Logging
- [ ] Secure error messages to users
- [ ] Detailed internal logging
- [ ] No sensitive data in logs
- [ ] Proper log levels
- [ ] Structured logging
API Security
- [ ] CSRF protection for browser clients
- [ ] Proper CORS configuration
- [ ] Rate limiting
- [ ] API versioning strategy
- [ ] Cache control headers
Infrastructure
- [ ] Container security scanning
- [ ] Minimal container image
- [ ] No running as root
- [ ] Health checks
- [ ] Resource constraints
Conclusion
Building secure Go applications requires attention to detail across multiple layers, from the code level to infrastructure. While Go provides many security advantages through its design, developers must still be vigilant about common vulnerabilities and follow secure coding practices.
The key takeaways from this article are:
- Validate all input: Never trust user input; validate and sanitize it thoroughly.
- Use parameterized queries: Prevent SQL injection by using parameterized queries for all database operations.
- Implement proper authentication: Use strong password hashing, secure JWT implementations, and consider MFA.
- Control access carefully: Implement role-based access control and verify authorization for all operations.
- Encrypt sensitive data: Use strong encryption for sensitive data both in transit and at rest.
- Manage dependencies securely: Regularly scan for vulnerabilities and minimize dependencies.
- Set secure HTTP headers: Protect against common web vulnerabilities with proper security headers.
- Conduct regular security testing: Use static analysis, security-focused unit tests, and penetration testing.
By following these practices, you can build Go applications that are resilient against common security threats and protect your users' data effectively.
In future articles, I'll explore more advanced security topics such as implementing secure microservice communication, building zero-trust architectures, and automated security testing for Go applications.
About the author: I'm a software engineer with experience in systems programming and distributed systems. Over the past years, I've been designing and implementing secure Go applications with a focus on microservices, API security, and cloud-native architectures.
