Skip to content

Comprehensive security guidance modernization for Go 1.24+#108

Open
curphey wants to merge 1 commit intoOWASP:masterfrom
curphey:feature/security-modernization-2026
Open

Comprehensive security guidance modernization for Go 1.24+#108
curphey wants to merge 1 commit intoOWASP:masterfrom
curphey:feature/security-modernization-2026

Conversation

@curphey
Copy link

@curphey curphey commented Jan 23, 2026
edited
Loading

Summary

This PR brings the OWASP Go Secure Coding Practices Guide up to date with modern Go security practices (Go 1.22-1.24+). The guide's core content was written in 2017, and this update addresses the gaps identified in a forthcoming analysis of OWASP project currency.

Background

I'm Mark Curphey - I founded OWASP about 25 years ago and have been doing an analysis of OWASP projects to understand which ones developers should actually rely on. Go-SCP stood out as a project with great potential (5,200+ stars, strategic language coverage) but substantive content frozen in 2017. This PR is the put up or shut up part of that analysis.

This work was done in collaboration with Claude Code (Anthropic's AI coding assistant) as an experiment in using AI to modernize security documentation.

The full blog about what I did is https://crashoverride.com/blog/ai-security-guidance-vs-outdated-owasp-go-practices

Note: This is a recreation of PR #107 which was accidentally closed when the fork was deleted.

Changes

New Sections (13 files)

  • Rate Limiting - Token bucket with golang.org/x/time/rate, per-client limiting
  • HTTP Server Security - Timeout configuration, Slowloris protection
  • Command Injection Prevention - exec.Command security, flag injection
  • Path Traversal Prevention - Go 1.24 os.Root API, Zip Slip prevention
  • CORS Security - rs/cors configuration, framework examples
  • Context Timeouts - Request lifecycle, database/HTTP patterns
  • Secrets Management - Vault, AWS Secrets Manager, K8s secrets
  • Container Security - Multi-stage Docker, Kubernetes Pod Security
  • Security Scanning - govulncheck, gosec, fuzzing, CI/CD
  • Claude Code Security - CLAUDE.md templates, MCP integrations
  • Password Policies - NIST 800-63B compliance
  • Passkeys/WebAuthn - FIDO2 with go-webauthn
  • Content Security Policy - CSP headers, nonce-based scripts

Enhanced Sections (18 files)

  • Argon2id - RFC 9106 Section 7.4 compliant parameters
  • JWT - golang-jwt/jwt/v5, secure cookie attributes
  • PRNG - Go 1.22 ChaCha8Rand, Go 1.24 FIPS 140-3
  • Input Validation - go-playground/validator/v10
  • SQL Injection - IN clauses, ORDER BY allowlisting
  • CSRF - Updated Gorilla status, alternatives
  • Logging - log/slog structured logging

Addresses

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.5 noreply@anthropic.com

@curphey @claude
docs: comprehensive security guide modernization for Go 1.24+
306b5e8 
Add 13 new security sections covering modern Go security practices:
- HTTP Server Security (Slowloris protection, timeouts)
- Rate Limiting (token bucket, per-client limiting)
- Path Traversal Prevention (Go 1.24 os.Root, Zip Slip)
- Command Injection Prevention (exec.Command, allowlists)
- CORS Security (rs/cors configuration)
- Context Timeouts (database, HTTP, goroutine management)
- Secrets Management (Vault, AWS Secrets Manager, Kubernetes)
- Container Security (scratch images, Kubernetes hardening)
- Content Security Policy (nonces, strict-dynamic)
- Passkeys/WebAuthn (FIDO2 passwordless authentication)
- Security Tooling (govulncheck, gosec, fuzzing)
- Claude Code Security Development (OWASP Go agent, hooks)
- Security Scanning Integration (CI/CD, pre-commit)

Enhance existing sections with modern patterns:
- Input Validation: go-playground/validator examples
- SQL Injection: complete CRUD, IN clause, ORDER BY allowlist
- Cryptographic Practices: Go 1.22 ChaCha8Rand, Go 1.24 FIPS 140-3
- Password Management: Argon2id, NIST 800-63B guidelines
- Session Management: JWT v5 migration, SameSite cookies
- Error Handling: Go 1.13+ error wrapping with errors.Is/As
- Logging: log/slog structured logging
- CSRF: Gorilla alternatives after archive
- Memory Management: race detection section

Also adds CLAUDE.md for Claude Code guidance with project overview,
build commands, structure, and git flow documentation.

Updates align with OWASP Top 10 2021 and current Go best practices.

Closes OWASP#95 (Gorilla toolkit status)
Addresses OWASP#71 (code samples)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@PauloASilva PauloASilva mentioned this pull request Feb 5, 2026
Open
@Demiserular Demiserular mentioned this pull request Feb 5, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement help wanted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gorilla is archived/no longer maintained

2 participants

@curphey @PauloASilva