Skip to main content

Security Features

Gojang Framework Security Implementation Summary

This document outlines the security features currently implemented in the Gojang framework.

๐Ÿ” Authentication & Password Securityโ€‹

Password Hashingโ€‹

  • Argon2id algorithm - Industry-standard password hashing (superior to bcrypt)
  • Parameters: 64MB memory, 3 iterations, 2 parallelism, 16-byte salt, 32-byte key
  • Location: app/gojang/utils/password.go

Featuresโ€‹

  • โœ… Constant-time password comparison (prevents timing attacks)
  • โœ… Generic error messages (prevents user enumeration)
  • โœ… Password field marked as sensitive in database schema
  • โœ… Comprehensive test coverage

๐ŸŽซ Session Managementโ€‹

Configurationโ€‹

  • HttpOnly cookies - Prevents XSS attacks from stealing session tokens
  • Secure flag in production - Ensures cookies only sent over HTTPS
  • SameSite: Lax - CSRF protection for navigation requests
  • Idle timeout: 30 minutes - Auto-logout after inactivity
  • Session lifetime: 12 hours (configurable)
  • Location: app/gojang/http/middleware/session.go

Featuresโ€‹

  • โœ… Session token renewal after login (prevents session fixation)
  • โœ… Session destruction on logout
  • โœ… User active status validation on every request
  • โœ… Session data cleared on inactive/deleted accounts

๐Ÿ›ก๏ธ CSRF Protectionโ€‹

Implementationโ€‹

  • Library: github.com/justinas/nosurf
  • Coverage: All authentication, post, user, and admin routes
  • Method: Double-submit cookie pattern

Protected Routesโ€‹

  • โœ… Login and registration forms
  • โœ… All POST/PUT/DELETE requests
  • โœ… Admin panel operations
  • โœ… User management endpoints

Locationsโ€‹

  • app/cmd/web/main.go:109 (auth routes)
  • app/posts/posts.route.go:14 (post routes)
  • app/gojang/http/routes/users.go:14 (user routes)
  • app/gojang/admin/admin_routes.go:13 (admin routes)

โฑ๏ธ Rate Limitingโ€‹

Featuresโ€‹

  • Per-IP rate limiting - Prevents brute force attacks
  • Authentication endpoints: 5 requests per minute, burst of 10
  • Proper IP extraction - Handles X-Forwarded-For securely
  • Memory cleanup - Periodic cleanup of inactive limiters

Implementationโ€‹

  • Location: app/gojang/http/middleware/ratelimit.go
  • Applied to: Login and registration endpoints
  • IP validation: Extracts real client IP from X-Forwarded-For (first/leftmost IP)

๐Ÿ”’ Security Headersโ€‹

Headers Configuredโ€‹

  1. Content-Security-Policy (CSP)

    • default-src 'self' - Only load resources from same origin
    • script-src 'self' 'unsafe-inline' https://unpkg.com - Script sources
    • style-src 'self' 'unsafe-inline' - Style sources
    • img-src 'self' data: https: - Image sources
    • frame-ancestors 'none' - Clickjacking protection

  2. X-Frame-Options: DENY

    • Prevents clickjacking attacks

  3. X-Content-Type-Options: nosniff

    • Prevents MIME type sniffing attacks

  4. Referrer-Policy: strict-origin-when-cross-origin

    • Controls referrer information leakage

  5. Permissions-Policy

    • Restricts geolocation, microphone, and camera access

  6. Strict-Transport-Security (HSTS)

    • Enforces HTTPS connections (production only)
    • max-age=31536000; includeSubDomains

Locationโ€‹

  • app/gojang/http/middleware/security.go

๐ŸŒ HTTPS Enforcementโ€‹

Featuresโ€‹

  • Automatic HTTPS redirect in production
  • X-Forwarded-Proto support - Works with reverse proxies
  • Debug mode bypass - Development remains on HTTP

Implementationโ€‹

  • Location: app/gojang/http/middleware/security.go (EnforceHTTPS)
  • Applied: Globally before all other middleware

โœ… Input Validationโ€‹

Server-Side Validationโ€‹

  • Library: github.com/go-playground/validator/v10
  • Location: app/views/forms/forms.go

Validated Fieldsโ€‹

  • โœ… Email format validation
  • โœ… Password minimum length (8 characters)
  • โœ… Required field validation
  • โœ… Password confirmation matching
  • โœ… Field length limits

Featuresโ€‹

  • User-friendly error messages
  • Form-specific validation structs
  • Type-safe validation

๐Ÿ’พ Database Securityโ€‹

ORM Protectionโ€‹

  • Ent ORM - Prevents SQL injection through parameterized queries
  • Location: app/gojang/models/
  • No raw SQL queries - All database access through ORM

Featuresโ€‹

  • โœ… Automatic query parameterization
  • โœ… Type-safe database operations
  • โœ… Foreign key constraints enabled
  • โœ… Schema migrations managed automatically

๐Ÿ‘ค Authorization & Access Controlโ€‹

Role-Based Access Control (RBAC)โ€‹

  • Roles: regular user, staff, superuser
  • Fields: is_active, is_staff, is_superuser
  • Location: app/schema/user.go

Middleware Protectionโ€‹

  1. RequireAuth - Ensures user is authenticated
  2. RequireStaff - Ensures user has staff role
  3. LoadUser - Loads user from session (optional auth)

Featuresโ€‹

  • โœ… Ownership checks for resource access
  • โœ… Admin action audit logging
  • โœ… Active user validation
  • โœ… Graceful handling of deleted/inactive users

๐Ÿ“Š Audit Loggingโ€‹

Featuresโ€‹

  • Structured logging - Using Zap logger (JSON output)
  • Admin actions tracked - All admin panel operations logged
  • IP address logging - Real client IP (properly extracted)
  • Request/response tracking - Duration, status codes, user info

Logged Informationโ€‹

  • User ID and email
  • Action performed
  • Resource accessed
  • Client IP address
  • Timestamp and duration
  • Response status code

Locationโ€‹

  • app/gojang/http/middleware/audit.go

๐Ÿ” Security Disclosureโ€‹

security.txtโ€‹

  • Location: /.well-known/security.txt
  • Contact: security@gojangframework.org
  • Response time: Within 48 hours
  • Safe harbor policy - Supports responsible disclosure

๐Ÿงช Security Testing & CI/CDโ€‹

Automated Scanningโ€‹

  1. gosec - Go security checker

    • Scans for common security issues
    • Runs on every pull request

  2. govulncheck - Vulnerability scanner

    • Checks for known vulnerabilities in dependencies
    • Runs on every pull request

CI/CD Integrationโ€‹

  • Location: .github/workflows/test.yml
  • Runs automatically on pull requests
  • Reports findings in GitHub Actions

๐Ÿ“ Configuration Securityโ€‹

Environment Variablesโ€‹

  • Required fields validated - DATABASE_URL, SESSION_KEY
  • Debug mode warning - Logs warning when DEBUG=true
  • No default secrets - .env.example requires manual secret generation

Secret Generationโ€‹

# Generate SESSION_KEY
openssl rand -base64 32

Featuresโ€‹

  • โœ… Secrets never committed to repository
  • โœ… .env file gitignored
  • โœ… .env.example provides template (no actual secrets)

๐Ÿ”ง Error Handlingโ€‹

Security Featuresโ€‹

  • Generic error messages - Don't expose internal details
  • Structured logging - Sensitive data never logged
  • Custom error pages - 404 handler configured

Featuresโ€‹

  • โœ… Stack traces hidden in production
  • โœ… Database errors sanitized
  • โœ… Authentication failures return generic messages

๐Ÿ“š Documentationโ€‹

Security Documentationโ€‹

๐ŸŽฏ Production Deployment Checklistโ€‹

Essential security items for production:

  • Set DEBUG=false in environment
  • Generate secure random SESSION_KEY
  • Enable PostgreSQL SSL (sslmode=require)
  • Configure HTTPS with valid SSL certificate
  • Set ALLOWED_HOSTS to production domains
  • Review and test all security headers
  • Set up centralized logging
  • Configure monitoring and alerting
  • Test rate limiting is working
  • Verify HTTPS redirect is active
  • Review audit logs are being captured
  • Set up regular security scanning
  • Document incident response procedures

๐Ÿ”„ Regular Maintenanceโ€‹

  • Dependency updates: Review monthly
  • Security patches: Apply immediately when available
  • Penetration testing: Annually or after major changes
  • Code reviews: Include security checklist
  • Monitoring: Review audit logs regularly
  • Backups: Test restoration procedures quarterly

Last Updated: 2025-10-14
Framework Version: Gojang v1.0