securityprofile

package
v2.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2026 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package securityprofile provides security posture defaults.

Package securityprofile composes stable secure middleware defaults.

Profiles bundle common HTTP hardening choices such as body limits, timeouts, security headers, and related middleware. Applications should still review browser, auth, metrics, and system endpoint settings before deploying a profile unchanged.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ErrorWriter 

type ErrorWriter func(http.ResponseWriter, int, httpx.Problem)

ErrorWriter allows overriding how security profile errors are written.

type Option 

type Option func(*options)

Option customizes the security profile.

func WithAuthAllowlist 

func WithAuthAllowlist(paths ...string) Option

WithAuthAllowlist sets paths that bypass auth checks.

func WithAuthCheck 

func WithAuthCheck(fn func(*http.Request) bool) Option

WithAuthCheck sets a function that determines whether a request is authenticated.

func WithDevBypassHeader 

func WithDevBypassHeader(header string, allow bool) Option

WithDevBypassHeader sets a development-only auth bypass header.

func WithErrorWriter 

func WithErrorWriter(fn ErrorWriter) Option

WithErrorWriter overrides the error writer.

func WithHardTimeout added in v2.1.0 

func WithHardTimeout(d time.Duration) Option

WithHardTimeout sets a hard wall-clock response timeout. It still propagates a request context deadline, and it also sends a 504 Problem Details response when a handler ignores cancellation long enough to exceed the deadline. The underlying hard-timeout middleware buffers responses and is not appropriate for streaming, websocket upgrades, or handlers that need optional http.ResponseWriter interfaces.

func WithHardTimeoutMaxCaptureBytes added in v2.1.0 

func WithHardTimeoutMaxCaptureBytes(n int64) Option

WithHardTimeoutMaxCaptureBytes sets the response capture limit used by WithHardTimeout. A value of zero preserves the middleware default. Hard timeout still buffers responses and remains unsuitable for streaming routes.

func WithMaxBodyBytes 

func WithMaxBodyBytes(n int64) Option

WithMaxBodyBytes sets the maximum request body size.

func WithQueryLimits 

func WithQueryLimits(opts querylimits.Options) Option

WithQueryLimits overrides query limits middleware options.

func WithQueryLimitsDisabled 

func WithQueryLimitsDisabled() Option

WithQueryLimitsDisabled disables query limits enforcement.

func WithRateLimitDisabled 

func WithRateLimitDisabled() Option

WithRateLimitDisabled disables rate limiting.

func WithRateLimitOptions 

func WithRateLimitOptions(opts ratelimit.Options) Option

WithRateLimitOptions configures rate limiting options.

func WithRequireAuth 

func WithRequireAuth(required bool) Option

WithRequireAuth sets whether authentication is required by default.

func WithResolver 

func WithResolver(resolver identity.Resolver) Option

WithResolver sets the identity resolver for trusted proxy checks.

func WithRouteOverrides 

func WithRouteOverrides(overrides ...RouteOverride) Option

WithRouteOverrides sets per-route limit overrides.

func WithSecureOptions 

func WithSecureOptions(opts ...securemw.Option) Option

WithSecureOptions appends secure header middleware options.

func WithTimeout 

func WithTimeout(d time.Duration) Option

WithTimeout sets a cooperative per-request context deadline. It does not enforce a wall-clock response cutoff by itself.

func WithTimeoutDisabled 

func WithTimeoutDisabled() Option

WithTimeoutDisabled disables request context deadlines.

type Profile 

type Profile struct {
	Middlewares []func(http.Handler) http.Handler
}

Profile describes a composed security middleware stack.

func New 

func New(opts ...Option) (Profile, error)

New builds a security profile using the provided options.

func OWASPBaseline 

func OWASPBaseline(opts ...Option) (Profile, error)

OWASPBaseline returns a security profile that aligns with OWASP API resource limits.

func (Profile) Apply 

func (p Profile) Apply(r ports.HTTPRouter)

Apply attaches the profile middlewares to the router.

func (Profile) ApplyTo added in v2.1.0 

func (p Profile) ApplyTo(r ports.MiddlewareChain)

ApplyTo attaches the profile middlewares to a minimal middleware chain.

type RouteOverride 

type RouteOverride struct {
	Pattern string
	Methods []string

	MaxBodyBytes               *int64
	QueryLimits                *querylimits.Options
	QueryLimitsEnabled         *bool
	Timeout                    *time.Duration
	TimeoutEnabled             *bool
	HardTimeout                *bool
	HardTimeoutMaxCaptureBytes *int64
	RateLimit                  *ratelimit.Options
	RateLimitEnabled           *bool
}

RouteOverride customizes limits for matching requests.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.