Question 1

How to force HTTPS redirects with Secure in Go?

Accepted Answer

Set SSLRedirect to true and optionally specify SSLHost for custom redirects. For proxy setups, configure SSLProxyHeaders to handle forwarded protocols, as detailed in the README example with separate HTTP and HTTPS servers.

Question 2

Secure vs gorilla/csrf for Go security?

Accepted Answer

Secure focuses on HTTP headers and host validation to prevent attacks like clickjacking and XSS, while gorilla/csrf handles Cross-Site Request Forgery protection. They are complementary and can be used together for layered security.

Question 3

How to add a nonce to Content Security Policy in Secure?

Accepted Answer

Use the ContentSecurityPolicy option with a template string containing $NONCE, which Secure dynamically replaces with a unique nonce per request. The README shows this with the CSP Builder for easier policy creation.

Question 4

Does Secure work correctly behind Nginx or other reverse proxies?

Accepted Answer

Yes, configure HostsProxyHeaders for host validation and SSLProxyHeaders for HTTPS detection to ensure proper behavior. The README provides examples with maps like {"X-Forwarded-Proto": "https"} for proxy compatibility.

Question 5

How to disable security features during development?

Accepted Answer

Set IsDevelopment to true, which disables AllowedHosts, SSLRedirect, and STS headers, allowing HTTP access and localhost usage without redirects. Remember to set it to false in production.

Question 6

What are the default security settings in Secure?

Accepted Answer

By default, with no options, Secure adds no headers and has features like SSLRedirect and FrameDeny disabled. You must explicitly enable options like STSSeconds or ContentTypeNosniff based on the default configuration listed.

secure

What is secure?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions