Golang Security Standards
Priority: P0 (CRITICAL)
Implementation Guidelines
Input Validation
- •Validation: Use
go-playground/validatororgoogle/go-cmpfor struct validation. - •Sanitization: Sanitize user input before processing. Use
bluemondayfor HTML sanitization.
Cryptography
- •Random: ALWAYS use
crypto/rand, NEVERmath/randfor security-sensitive operations (tokens, keys, IVs). - •Hashing: Use
bcryptorargon2for password hashing. Avoid MD5/SHA1. - •Encryption: Use
crypto/aeswith GCM mode for authenticated encryption.
SQL Injection Prevention
- •Parameterized Queries: ALWAYS use
$1, $2placeholders withdatabase/sqlor ORM (GORM, sqlx). - •No String Concatenation: Never build queries with
fmt.Sprintf().
Authentication
- •JWT: Use
golang-jwt/jwtv5+. Validatealg,iss,aud,expclaims. - •Sessions: Use secure, httpOnly cookies with
gorilla/sessions.
Secret Management
- •Environment Variables: Load secrets via
godotenvor Kubernetes secrets. - •No Hardcoding: Never commit API keys, passwords, or tokens to Git.
Anti-Patterns
- •No
math/randfor Security: RNG is predictable. Usecrypto/rand. - •No
fmt.Sprintf()for SQL: Causes SQL injection. Use placeholders. - •No MD5 for Passwords: Use
bcryptorargon2id. - •No Exposed Error Details: Don't leak stack traces to clients in production.