Comprehensive security implementation for the Modern Go Stack.

Defense-in-depth approach with multiple protection layers:

1. Input Sanitization - XSS and SQL injection prevention
2. CSRF Protection - Cross-site request forgery prevention with token rotation
3. JWT Authentication - Secure token-based authentication with bcrypt password hashing
4. Security Headers - Browser security controls and content security policy
5. Rate Limiting - DoS and abuse prevention (20 requests/minute per IP)
6. Input Validation - Comprehensive request validation with go-playground/validator
7. Error Handling - Information disclosure prevention with structured errors
8. Request Tracing - Security monitoring with unique request IDs

Custom CSRF middleware in internal/middleware/csrf.go protects all state-changing operations (POST, PUT, PATCH, DELETE).

Configuration:

CSRFConfig{
    TokenLength:    32,                                    // 32-byte random tokens
    TokenLookup:    "header:X-CSRF-Token,form:csrf_token", // Multiple token sources
    CookieName:     "_csrf",                               // Cookie name
    CookieHTTPOnly: true,                                  // Prevent XSS access
    CookieSameSite: http.SameSiteStrictMode,              // CSRF protection
    CookieMaxAge:   86400,                                 // 24 hours
}

Features:

• Token Rotation: New token generated for each request
• Multiple Sources: Supports header and form-based tokens
• Constant-Time Validation: Prevents timing attacks
• Secure Cookies: HTTPOnly and SameSite attributes
• Automatic HTMX Integration: JavaScript automatically includes tokens

Form-based CSRF (Traditional):

<form method="POST" action="/users">
  <input type="hidden" name="csrf_token" value="{{.CSRFToken}}" />
  <input type="text" name="name" required />
  <button type="submit">Create User</button>
</form>

HTMX with Automatic CSRF:

<!-- CSRF token automatically included by JavaScript -->
<button hx-post="/users" hx-vals='{"name": "John Doe"}'>
  Create User
</button>

Manual Header-based CSRF:

<button 
  hx-post="/users" 
  hx-headers='{"X-CSRF-Token": "{{.CSRFToken}}"}' 
  hx-vals='{"name": "John Doe"}'>
  Create User
</button>

Secure JWT implementation in internal/middleware/auth.go with:

Security Features:

• HMAC-SHA256 signing (configurable signing keys)
• Secure cookie storage with HTTPOnly and SameSite attributes
• Configurable token expiration (24 hours default)
• Password hashing with bcrypt (cost 12)
• Token validation on each request
• Automatic cookie clearing on logout

Configuration:

AuthConfig{
    SigningKey:      []byte("your-secret-key"), // From JWT_SECRET env var
    TokenDuration:   24 * time.Hour,            // Token expiration
    RefreshDuration: 7 * 24 * time.Hour,        // Refresh token duration
    Issuer:          "go-web-server",           // JWT issuer
    CookieName:      "auth_token",              // Cookie name
    CookieSecure:    true,                      // HTTPS only (false in dev)
    CookieHTTPOnly:  true,                      // Prevent XSS access
}

Protecting Routes:

// Apply JWT middleware to protected routes
protected := e.Group("/api")
protected.Use(middleware.JWTMiddleware(authService))
protected.GET("/profile", handlers.Profile)

Optional Authentication:

// Optional authentication (doesn't require login)
e.Use(middleware.OptionalJWTMiddleware(authService))

Getting Current User:

func ProfileHandler(c echo.Context) error {
    user, exists := middleware.GetCurrentUser(c)
    if !exists {
        return c.Redirect(http.StatusFound, "/login")
    }
    // Use authenticated user...
}

Custom sanitization middleware in internal/middleware/sanitize.go:

Features:

• HTML entity escaping
• JavaScript protocol removal
• Event handler removal
• Script tag filtering
• Dangerous pattern detection

Configuration:

SanitizeConfig{
    SanitizeHTML: true,  // HTML entity escaping
    SanitizeXSS:  true,  // XSS pattern removal
    SanitizeSQL:  true,  // Basic SQL injection prevention
}

Automatic Sanitization:

• All form values automatically sanitized
• POST form values cleaned
• Custom sanitization functions supported

Primary Defense - Parameterized Queries:

All database operations use SQLC-generated code with parameterized queries:

-- name: GetUser :one
SELECT * FROM users WHERE id = $1 LIMIT 1;

-- name: CreateUser :one
INSERT INTO users (email, name, bio) 
VALUES ($1, $2, $3)
RETURNING *;

Secondary Defense - Input Sanitization:

Additional SQL injection patterns filtered by sanitization middleware:

• SQL comment removal (--, /*, #)
• Dangerous keyword detection (UNION SELECT, DROP TABLE, etc.)
• Quote escaping as fallback

Comprehensive security headers in main.go and internal/middleware/errors.go:

Echo Security Middleware:

echomiddleware.SecureWithConfig(echomiddleware.SecureConfig{
    XSSProtection:         "1; mode=block",
    ContentTypeNosniff:    "nosniff", 
    XFrameOptions:         "DENY",
    HSTSMaxAge:            31536000, // 1 year
    ContentSecurityPolicy: "default-src 'self'; ...",
})

Custom Security Headers:

// Additional security headers
c.Response().Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
c.Response().Header().Set("Permissions-Policy", "geolocation=(), microphone=(), camera=()")
c.Response().Header().Set("Cross-Origin-Opener-Policy", "same-origin")
c.Response().Header().Set("Cross-Origin-Embedder-Policy", "require-corp")

Restrictive CSP policy balancing security and functionality:

default-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com;
script-src 'self' 'unsafe-inline' 'unsafe-eval';
img-src 'self' data:;
connect-src 'self';
font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com;

Policy Rationale:

• 'unsafe-inline' for styles: Required for Pico.css and dynamic theme switching
• 'unsafe-eval' for scripts: Required for HTMX functionality
• External fonts: Google Fonts for typography
• Data URIs: For inline images/icons

IP-based rate limiting with configurable limits:

Configuration:

echomiddleware.RateLimiterWithConfig(echomiddleware.RateLimiterConfig{
    Store: echomiddleware.NewRateLimiterMemoryStore(20), // 20 req/min
    IdentifierExtractor: func(c echo.Context) (string, error) {
        return c.RealIP(), nil // Rate limit by client IP
    },
    ErrorHandler: func(_ echo.Context, err error) error {
        return middleware.ErrTooManyRequests.WithInternal(err)
    },
})

Features:

• Memory-based storage (suitable for single instance)
• Real IP detection (works behind proxies)
• Configurable limits per endpoint
• Graceful error handling
• Prometheus metrics integration

Using go-playground/validator with custom rules:

Built-in Validations:

• Email format validation
• Password strength requirements
• String length limits
• Required field validation
• URL format validation

Custom Password Validation:

// Password must be 8+ chars with uppercase, lowercase, and numbers
func passwordValidator(fl validator.FieldLevel) bool {
    password := fl.Field().String()
    return len(password) >= 8 &&
        strings.ContainsAny(password, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") &&
        strings.ContainsAny(password, "abcdefghijklmnopqrstuvwxyz") &&
        strings.ContainsAny(password, "0123456789")
}

Usage Example:

type RegisterRequest struct {
    Email           string `json:"email" validate:"required,email"`
    Name            string `json:"name" validate:"required,min=2,max=100"`
    Password        string `json:"password" validate:"required,password"`
    ConfirmPassword string `json:"confirm_password" validate:"required"`
}

Comprehensive error handling in internal/middleware/errors.go:

Error Categories:

• Validation errors (400)
• Authentication errors (401)
• Authorization errors (403)
• Not found errors (404)
• Rate limit errors (429)
• Internal server errors (500)

Production Safety:

• Internal error details never exposed to clients
• Generic error messages in production
• Detailed logging for debugging
• Request correlation IDs for tracing

Error Response Format:

{
  "type": "validation",
  "error": "Bad Request",
  "message": "Validation failed",
  "details": [
    {"field": "email", "message": "invalid email format"}
  ],
  "code": 400,
  "request_id": "req-123456",
  "timestamp": "1640995200"
}

Prometheus metrics for security monitoring:

// CSRF protection metrics
csrfTokensGenerated    // Total tokens generated
csrfValidationFailures // Failed CSRF validations

// Authentication metrics  
userLoginAttempts      // Total login attempts
userLoginFailures      // Failed login attempts
userRegistrations      // New user registrations

// Request security metrics
requestsBlocked        // Requests blocked by rate limiting
validationFailures     // Input validation failures

Structured logging for security events:

slog.Warn("Failed login attempt",
    "email", email,
    "remote_ip", c.RealIP(),
    "user_agent", c.Request().UserAgent(),
    "request_id", requestID)

• All forms include CSRF tokens
• Passwords hashed with bcrypt
• Input validation on all endpoints
• SQL queries use parameters (SQLC)
• Error messages don't leak information
• Security headers configured
• Rate limiting active

• HTTPS enabled (TLS certificates)
• Secure JWT signing keys
• Database access restricted
• Security headers verified
• Rate limits appropriate for traffic
• Monitoring and alerting configured
• Log retention policies set
• Regular security updates applied

1. JWT Management:

   • Use strong, random signing keys (256+ bits)
   • Rotate signing keys regularly
   • Set appropriate token expiration times
   • Store tokens in HTTPOnly cookies

2. Password Security:

   • Enforce strong password requirements
   • Use bcrypt with appropriate cost (12+)
   • Implement account lockout after failed attempts
   • Consider 2FA for sensitive applications

3. Database Security:

   • Use parameterized queries exclusively
   • Implement connection pooling limits
   • Regular security updates for PostgreSQL
   • Database access limited to application user

4. Monitoring:

   • Monitor failed authentication attempts
   • Alert on unusual traffic patterns
   • Log security events with correlation IDs
   • Regular security audit reviews

This security implementation provides enterprise-grade protection while maintaining usability and performance.