| |
@@ -137,12 +137,12 @@
|
| |
|
| |
[source, go]
|
| |
----
|
| |
- ```golang
|
| |
+
|
| |
name := r.FormValue("name")
|
| |
template := template.Must(template.ParseGlob("xss.html"))
|
| |
data["Name"] = name
|
| |
err := template.ExecuteTemplate(w, name, data)
|
| |
- ```
|
| |
+
|
| |
----
|
| |
|
| |
=== 4. Protect yourself from SQL injections
|
| |
@@ -151,10 +151,10 @@
|
| |
|
| |
[source, go]
|
| |
----
|
| |
- ```golang
|
| |
+
|
| |
customerName := r.URL.Query().Get("name")
|
| |
db.Exec("UPDATE creditcards SET name=? WHERE customerId=?", customerName, 233, 90)
|
| |
- ```
|
| |
+
|
| |
----
|
| |
If using the db.Query() function instead, ensure you sanitize the user’s input first, as above.
|
| |
|
| |
@@ -167,18 +167,18 @@
|
| |
[source, go]
|
| |
----
|
| |
|
| |
- ```golang
|
| |
+
|
| |
w.Header().Add("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
| |
- ```
|
| |
+
|
| |
----
|
| |
|
| |
You might also want to specify the server name in the TLS configuration, like this:
|
| |
|
| |
[source, go]
|
| |
----
|
| |
- ```golang
|
| |
+
|
| |
config := &tls.Config{ServerName: "yourSiteOrServiceName"}
|
| |
- ```
|
| |
+
|
| |
----
|
| |
Of Note: It’s always a good practice to implement in-transit encryption even if your application is only for internal communication. Imagine if, for some reason, an attacker could sniff your internal traffic. Whenever you can, it’s always best to raise the difficulty bar for possible future attackers.
|
| |
|
| |
@@ -202,18 +202,18 @@
|
| |
Go doesn’t have exceptions. This means that you’d need to handle errors differently than with other languages. The standard looks like this:
|
| |
[source, go]
|
| |
----
|
| |
- ```golang
|
| |
+
|
| |
if err != nil {
|
| |
// handle the error
|
| |
}
|
| |
- ```
|
| |
+
|
| |
----
|
| |
|
| |
|
| |
Also, Go offers a native library to work with logs. The most simple code is like this:
|
| |
[source, go]
|
| |
----
|
| |
- ```golang
|
| |
+
|
| |
package main
|
| |
|
| |
import (
|
| |
@@ -223,7 +223,7 @@
|
| |
func main() {
|
| |
log.Print("Logging in Go!")
|
| |
}
|
| |
- ```
|
| |
+
|
| |
----
|
| |
|
| |
|
| |
@@ -241,7 +241,7 @@
|
| |
==== Further Reading
|
| |
|
| |
|
| |
- * https://github.com/Binject/awesome-go-securityhttps://github.com/Binject/awesome-go-security
|
| |
+ * https://github.com/Binject/awesome-go-security
|
| |
* https://owasp.org/www-pdf-archive/Owasp-171123063052.pdf
|
| |
* https://github.com/securego/gosec
|
| |
* https://tutorialedge.net/golang/secure-coding-in-go-input-validation/
|
| |
rfc/fix link