

Securing Go web applications - dchest
https://stablelib.com/blog/securing-golang-web-apps/

======
gabesullice
Definitely a cool collection of, as the article calls them "quick wins." The
stablelib.com business model is pretty interesting too. Not sure what to think
about it.

~~~
mlinksva
The business is subscription, getting access to a (proprietary?) command line
tool and "exclusive" (subscriber-only, proprietary?) training materials?
That's what I guess from the home page. Accurate?

~~~
dchest
Mostly it's for commercial support (maintenance: bug fixes, backporting of
patches, security alerts, and technical support) of the packages included in
the distribution, as we don't have the tool (will probably be open sourced) or
exclusive content yet. Thanks for the interest!

~~~
allendoerfer
How do you defend yourself against somebody just mirroring the libraries?

I was just researching licenses for a similar business model (in a completely
different field) and came to the conclusion, that it does not really work.

AGPL would somewhat work, but would still have the downside that commercial
entities could use the software just for tooling and internal processes, which
most software is used for anyway.

In my mind Open Source prevents commercial use of applications only if the
software is very likely to be shipped to the client, for example Qt.

With libraries it might look different, because people just get used to them
and want to use them everywhere.

I would be very interested to hear your input!

~~~
dchest
Sorry for the late reply! Since the original upstream packages are all open
source, there's pretty much no point in mirroring. The major value of such
business is mainly commercial support, which includes maintaining
compatibility and solving the problems that clients have with packages.

------
eatonphil
I guess it's great to know you /could/ do this in Go. But wouldn't anyone
serious about these particular options just choose to apply them in Nginx?
It's not like Go has completely kicked Nginx out of the mix. I still use it
for static files (I trust/know Nginx caching) and for SSL termination (though
yes, this /could/ be done in Go).

Would you use these options in Go or would you just set them at the reverse-
proxy level?

~~~
ademarre
> _wouldn 't anyone serious about these particular options just choose to
> apply them in Nginx?_

It sounds like you are assuming that everyone "serious" already is or should
be using Nginx. Also one shouldn't assume that you'll always be using a
reverse-proxy. Even when you are using a reverse-proxy, in my opinion it's
good to keep that layer as "dumb" as possible, minimizing application-specific
details. For example, setting certain security HTTP headers correctly often
requires a deeper understanding of an application than one should expect from
the reverse-proxy layer.

Slightly off topic, but it reminds me of why I think web application firewalls
are misused: they try to plug security holes that should be treated as
application bugs.

------
jalfresi
Love how "plug and play" some of these are! This is a great selection of
packages. I didn't even know they existed.

------
tshadwell
It's a nice list of items, but I don't feel like it's informed from actual
penetration tests on Go apps. Bad Content-Type headers and DNS rebinding
affect almost every Go web application out there.

 _Any naked Go server is usually vulnerable to DNS rebinding because it doesn
't test the Host header._

Edit: see also:
[http://0xdabbad00.com/2015/04/12/looking_for_security_troubl...](http://0xdabbad00.com/2015/04/12/looking_for_security_trouble_spots_in_go_code/)

~~~
dchest
The first mentioned package, secure, has AllowedHosts option:
[https://stablelib.com/doc/v1/net/secure/#Options](https://stablelib.com/doc/v1/net/secure/#Options)

I should add it to the post, thanks.

