Go-SCP icon indicating copy to clipboard operation
Go-SCP copied to clipboard
verified publisher icon OWASP

Comprehensive security guidance modernization for Go 1.24+

Open curphey opened this issue 2 months ago • 0 comments

Summary

This PR brings the OWASP Go Secure Coding Practices Guide up to date with modern Go security practices (Go 1.22-1.24+). The guide's core content was written in 2017, and this update addresses the gaps identified in a forthcoming analysis of OWASP project currency.

Background

I'm Mark Curphey - I founded OWASP about 25 years ago and have been doing an analysis of OWASP projects to understand which ones developers should actually rely on. Go-SCP stood out as a project with great potential (5,200+ stars, strategic language coverage) but substantive content frozen in 2017. This PR is the put up or shut up part of that analysis.

This work was done in collaboration with Claude Code (Anthropic's AI coding assistant) as an experiment in using AI to modernize security documentation.

Changes

New Sections (13 files)

  • Rate Limiting - Token bucket with golang.org/x/time/rate, per-client limiting
  • HTTP Server Security - Timeout configuration, Slowloris protection
  • Command Injection Prevention - exec.Command security, flag injection
  • Path Traversal Prevention - Go 1.24 os.Root API, Zip Slip prevention
  • CORS Security - rs/cors configuration, framework examples
  • Context Timeouts - Request lifecycle, database/HTTP patterns
  • Secrets Management - Vault, AWS Secrets Manager, K8s secrets
  • Container Security - Multi-stage Docker, Kubernetes Pod Security
  • Security Scanning - govulncheck, gosec, fuzzing, CI/CD
  • Claude Code Security - CLAUDE.md templates, MCP integrations
  • Password Policies - NIST 800-63B compliance
  • Passkeys/WebAuthn - FIDO2 with go-webauthn
  • Content Security Policy - CSP headers, nonce-based scripts

Enhanced Sections (18 files)

  • Argon2id - RFC 9106 Section 7.4 compliant parameters
  • JWT - golang-jwt/jwt/v5, secure cookie attributes
  • PRNG - Go 1.22 ChaCha8Rand, Go 1.24 FIPS 140-3
  • Input Validation - go-playground/validator/v10
  • SQL Injection - IN clauses, ORDER BY allowlisting
  • CSRF - Updated Gorilla status, alternatives
  • Logging - log/slog structured logging

Addresses

  • Closes #95 (Gorilla toolkit status)
  • Addresses #71 (code samples)

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.5 [email protected]

curphey avatar Jan 13 '26 18:01 curphey