How to force HTTPS redirects with Secure in Go?

Set SSLRedirect to true and optionally specify SSLHost for custom redirects. For proxy setups, configure SSLProxyHeaders to handle forwarded protocols, as detailed in the README example with separate HTTP and HTTPS servers.

Secure vs gorilla/csrf for Go security?

Secure focuses on HTTP headers and host validation to prevent attacks like clickjacking and XSS, while gorilla/csrf handles Cross-Site Request Forgery protection. They are complementary and can be used together for layered security.

How to add a nonce to Content Security Policy in Secure?

Use the ContentSecurityPolicy option with a template string containing $NONCE, which Secure dynamically replaces with a unique nonce per request. The README shows this with the CSP Builder for easier policy creation.

Does Secure work correctly behind Nginx or other reverse proxies?

Yes, configure HostsProxyHeaders for host validation and SSLProxyHeaders for HTTPS detection to ensure proper behavior. The README provides examples with maps like {"X-Forwarded-Proto": "https"} for proxy compatibility.

How to disable security features during development?

Set IsDevelopment to true, which disables AllowedHosts, SSLRedirect, and STS headers, allowing HTTP access and localhost usage without redirects. Remember to set it to false in production.

What are the default security settings in Secure?

By default, with no options, Secure adds no headers and has features like SSLRedirect and FrameDeny disabled. You must explicitly enable options like STSSeconds or ContentTypeNosniff based on the default configuration listed.

Open-Awesome

secure

MITGov1.17.0

A Go HTTP middleware that provides essential security headers and protections for web applications.

GitHub

2.3k stars145 forks0 contributors

What is secure?

Secure is a Go HTTP middleware package that helps developers implement essential web security protections. It provides configurable security headers, host validation, HTTPS enforcement, and other security features that can be easily integrated into Go web applications. The middleware helps prevent common web vulnerabilities like clickjacking, XSS attacks, and protocol downgrades.

Target Audience

Go developers building web applications who need to implement security best practices with minimal configuration. It's particularly useful for developers using frameworks like Chi, Echo, Gin, or Gorilla Mux who want to add security headers without writing custom middleware.

Value Proposition

Secure offers a comprehensive, battle-tested solution for web security in Go applications with sensible defaults and extensive customization options. Unlike piecing together individual security measures, it provides a unified middleware that's framework-agnostic and follows security best practices out of the box.

Overview

HTTP middleware for Go that facilitates some quick security wins.

Use Cases

Best For

Adding security headers to Go web applications
Enforcing HTTPS across an entire application
Implementing Content Security Policy (CSP) in Go
Preventing clickjacking with X-Frame-Options
Restricting access to specific hostnames
Securing Go applications behind reverse proxies

Not Ideal For

Projects using non-Go web frameworks or programming languages
Applications requiring dynamic, per-request security policy changes beyond static configuration
Teams needing built-in security auditing, logging, or advanced threat detection features
High-performance microservices where middleware overhead must be minimized

Pros & Cons

Pros

Wide Framework Compatibility

Integrates seamlessly with popular Go frameworks like Chi, Echo, Gin, and Gorilla Mux, as shown in the README's extensive examples, making it easy to add to existing projects.

Comprehensive Header Support

Covers a broad range of security headers including CSP, HSTS, X-Frame-Options, and newer ones like PermissionsPolicy, with customizable values to meet modern web standards.

Development Mode Convenience

The IsDevelopment option disables restrictive features like HTTPS redirects and host validation during local work, preventing workflow interruptions, as highlighted in the README.

Sensible Defaults with Customization

Offers sensible out-of-the-box configurations while allowing extensive customization through options, such as custom handlers and request functions, enabling both quick wins and fine-grained control.

Cons

Configuration Complexity

With over 20 configuration options, setting up Secure can be verbose and error-prone, especially for developers new to web security, as seen in the lengthy options list.

Go-Exclusive Dependency

Limited to Go applications, making it unsuitable for projects using other programming languages or needing cross-stack security solutions, which restricts its applicability.

Static Policy Definition

Security policies are defined at middleware initialization; dynamic adjustments per request require implementing custom AllowRequestFunc, adding complexity for advanced use cases.

Frequently Asked Questions

Related Projects

age

A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

Stars22,522

Forks650

Last commit2 months ago

lego

Let's Encrypt/ACME client and library written in Go

Stars9,649

Forks1,144

Last commit6 days ago

CertMagic

Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Stars5,562

Forks333

Last commit13 days ago

Cameradar

Cameradar hacks its way into RTSP videosurveillance cameras

Stars5,061

Forks620

Last commit5 days ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub