From c53e5b1f71aec2c0b5b942ed981712c6158955f8 Mon Sep 17 00:00:00 2001 From: Huzaifa Sidhpurwala Date: Feb 11 2022 11:55:36 +0000 Subject: Merge #24 `Update modules/ROOT/pages/programming-languages/Go.adoc` --- diff --git a/modules/ROOT/pages/programming-languages/Go.adoc b/modules/ROOT/pages/programming-languages/Go.adoc index 61106b9..962b4d6 100644 --- a/modules/ROOT/pages/programming-languages/Go.adoc +++ b/modules/ROOT/pages/programming-languages/Go.adoc @@ -137,12 +137,12 @@ There are also third-party libraries you can use when developing web apps in Go. [source, go] ---- -```golang + name := r.FormValue("name") template := template.Must(template.ParseGlob("xss.html")) data["Name"] = name err := template.ExecuteTemplate(w, name, data) -``` + ---- === 4. Protect yourself from SQL injections @@ -151,10 +151,10 @@ But, the most critical piece of code you’d need to include is the use of param [source, go] ---- -```golang + customerName := r.URL.Query().Get("name") db.Exec("UPDATE creditcards SET name=? WHERE customerId=?", customerName, 233, 90) -``` + ---- If using the db.Query() function instead, ensure you sanitize the user’s input first, as above. @@ -167,18 +167,18 @@ To secure in-transit connection in the system isn’t only about the app listeni [source, go] ---- -```golang + w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains") -``` + ---- You might also want to specify the server name in the TLS configuration, like this: [source, go] ---- -```golang + config := &tls.Config{ServerName: "yourSiteOrServiceName"} -``` + ---- Of Note: It’s always a good practice to implement in-transit encryption even if your application is only for internal communication. Imagine if, for some reason, an attacker could sniff your internal traffic. Whenever you can, it’s always best to raise the difficulty bar for possible future attackers. @@ -202,18 +202,18 @@ Here are some problems with using Cgo in your application: Go doesn’t have exceptions. This means that you’d need to handle errors differently than with other languages. The standard looks like this: [source, go] ---- -```golang + if err != nil { // handle the error } -``` + ---- Also, Go offers a native library to work with logs. The most simple code is like this: [source, go] ---- -```golang + package main import ( @@ -223,7 +223,7 @@ import ( func main() { log.Print("Logging in Go!") } -``` + ---- @@ -241,7 +241,7 @@ Finally, make sure you apply all the previous rules like encryption and sanitiza ==== Further Reading -* https://github.com/Binject/awesome-go-securityhttps://github.com/Binject/awesome-go-security +* https://github.com/Binject/awesome-go-security * https://owasp.org/www-pdf-archive/Owasp-171123063052.pdf * https://github.com/securego/gosec * https://tutorialedge.net/golang/secure-coding-in-go-input-validation/