README
¶
go-safeweb
DISCLAIMER: This is not an officially supported Google product.
go-safeweb is a collection of libraries for writing secure-by-default HTTP
servers in Go.
Contributing
This project is in an early stage. We are currently not accepting any contributions.
Overview
The flexibility of Go’s net/http package
allows users to quickly implement HTTP servers.
Responses are then written simply as slices of bytes, headers can be arbitrarily manipulated and so on. This approach offers much needed flexibility for these who really need it.
Unfortunately, this approach leaves great space for introducing security vulnerabilities and even experienced developers tend to do so.
This document aims to design an HTTP API that eliminates whole classes of bugs, like Cross-Site Scripting (XSS) or Cross-Site Request Forgery (XSRF). This can be achieved by an approach known at Google as safe coding. Learn more at Securing the Tangled Web (Chistoph Kern, 2014) or Preventing Security Bugs through Software Design (Christoph Kern, 2016).
Goals and Non-Goals
Goals
G1: Secure-by-default
Security mechanisms are applied by default (opt-out, not opt-in).
G2: Unsafe Usage is Easy to Review, Track and Restrict
All opt-outs from security mechanisms are explicit. Wherever possible, they’re contained inside a package or an option that’s easy to restrict.
G3: Designed for Evolving Security Requirements
Enforcing new security measures is feasible through AST manipulation. Existing users can be migrated using static analysis and/or runtime monitoring. Read more here.
G4: High Compatibility with Go’s Standard Library and Existing Open-Source Frameworks
Whenever possible, keep existing layouts, function signatures and other API parts the same as the Go’s standard library. High compatibility enables wide adoption.
Non Goals
NG1: Safe API Completeness
Creating safe APIs for all the corner cases might result in a bloated codebase. Our experience shows that this isn’t necessary.
NG2: Full Compatibility with Go’s Standard Library and Existing Open-Source Frameworks
Existing open-source frameworks or the Go standard library need to support each developer scenario. This would have left us with limited options of creating safe-by-default HTTP servers.
NG3: Features That Are Not Security Critical
Go Safe Web aims to help you create a secure-by-default Go HTTP server and nothing more. Features that are not security critical will not be added. Focusing solely on security allows us to maintain high compatibility with the standard library and makes adoption easier.
Security Vulnerabilities and Mitigations
On a high level, we plan to address, or provide the needed infrastructure to address, following issues (not an exhaustive list):
- XSS (cross-site scripting) and XSSI (cross-site script inclusion) - e.g. by controlling how responses are generated
- XSRF (cross-site request forgery) - e.g. by using Fetch Metadata policies, supporting token-based XSRF protection
- CORS (cross-origin resource sharing) - e.g. by taking control of CORS response headers and handling CORS preflight requests
- CSP (content security policy) - e.g. by automatically adding script nonces to HTML responses, adding relevant security headers
- Transport Security - e.g. by enforcing HSTS support
- IFraming - e.g. by setting relevant HTTP headers to restrict framing or providing server-side support for origin selection
- Auth (access control) - e.g. by providing infrastructure for plugging in access control logic in an uniform, auditable way
- HTTP Request Parsing Bugs - e.g. by implementing strict and well documented parsing behavior
- Error responses - e.g. by providing infrastructure for uniform error handling (e.g. to prevent accidental leaks or XSS from error responses)
- Enforcement of other security specific HTTP headers - here
Appendix
Evolving Security Requirements (example)
Imagine an API for configuring access control. It features three types of rules:
ALLOW(user)- allows a givenuserDENY(user)- denies a givenuser(has priority overALLOW)REPORT(user)- reports that it has seen a request from a givenuser
Imagine now that at some point, security standards need to be increased and
user = "frombulator" has been determined to not meet the desired bar.
How do we, for all the services running in our company, address this?
- For existing services, we add a
LegacyFrombulatorAccessoption like so:security.AccessControl(rules, unsafe.LegacyFrombulatorAccess()). - We change the
security.AccessControl()call to add by default aDENY("frombulator")rule. This rule is not added ifunsafe.LegacyFrombulatorAccessis applied. - Instead,
unsafe.LegacyFrombulatorAccessadds aREPORT("frombulator")rule.
This way, we have:
- Ensured that all new callers of
security.AccessControluse the safe setting by default. - Can monitor existing services dependence on calls from the
frombulator. After a period of observation (let’s say, 30 days):- If the service doesn’t receive requests from the
frombulator: prune theunsafe.LegacyFrombulatorAccessoption. - If the service does receive requests from the
frombulator: inform the service owners and plan a fix.
- If the service doesn’t receive requests from the
Crucially, only the last case (dependence on unsafe configuration) requires engineering work per service. The rest can be automated.
This approach is possible due to careful API design. A missing DENY or
REPORT rule, or a single sink in the form of security.AccessControl would
make this infeasible.
Source Code Headers
Every file containing source code must include copyright and license information. This includes any JS/CSS files that you might be serving out to browsers. (This is to help well-intentioned people avoid accidental copying that doesn't comply with the license.)
Apache header:
Copyright 2020 Google LLC
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
bancheck
Package main contains the CLI used for detecting risky APIs.
|
Package main contains the CLI used for detecting risky APIs. |
|
bancheck/bannedapi
Package bannedapi provides the tools for doing static analysis and checking for usage of banned APIs.
|
Package bannedapi provides the tools for doing static analysis and checking for usage of banned APIs. |
|
examples
|
|
|
echo
echo implements a simple echo server which listents on localhost:8080.
|
echo implements a simple echo server which listents on localhost:8080. |
|
echo/security/web
Package web is an example package maintained by security experts in a development team.
|
Package web is an example package maintained by security experts in a development team. |
|
sample-application/secure
Package secure TODO(clap|kele): describe the assumptions we are under, e.g.
|
Package secure TODO(clap|kele): describe the assumptions we are under, e.g. |
|
sample-application/server
Package server implements the application server.
|
Package server implements the application server. |
|
trustedtypes
Implements a simple server presenting DOM XSS protection with Trusted Types.
|
Implements a simple server presenting DOM XSS protection with Trusted Types. |
|
internal
|
|
|
requesttesting
Package requesttesting provides a harness and other test utilities for verifying the behaviour of the net/http package in Go's standard library.
|
Package requesttesting provides a harness and other test utilities for verifying the behaviour of the net/http package in Go's standard library. |
|
requesttesting/headers
Package headers contains tests to verify the request parsing behavior of net/http in Go's standard library.
|
Package headers contains tests to verify the request parsing behavior of net/http in Go's standard library. |
|
Package safehttp provides a framework for building secure-by-default web applications.
|
Package safehttp provides a framework for building secure-by-default web applications. |
|
defaults
Package defaults provides ready to use, safe, pre-configured instances of safehttp types.
|
Package defaults provides ready to use, safe, pre-configured instances of safehttp types. |
|
internal
Package internal contains internal APIs.
|
Package internal contains internal APIs. |
|
plugins/collector
Package collector provides a function for creating violation report handlers.
|
Package collector provides a function for creating violation report handlers. |
|
plugins/coop
Package coop provides Cross-Origin-Opener-Policy protection.
|
Package coop provides Cross-Origin-Opener-Policy protection. |
|
plugins/cors
Package cors provides a safehttp.Interceptor that handles CORS requests.
|
Package cors provides a safehttp.Interceptor that handles CORS requests. |
|
plugins/csp
Package csp provides a safehttp.Interceptor which applies Content-Security Policies to responses.
|
Package csp provides a safehttp.Interceptor which applies Content-Security Policies to responses. |
|
plugins/csp/internalunsafecsp
Package internalunsafecsp is used internally to override CSP.
|
Package internalunsafecsp is used internally to override CSP. |
|
plugins/csp/internalunsafecsp/unsafecspfortests
Package unsafecspfortests can be used to disable CSP on specific handler registration in tests.
|
Package unsafecspfortests can be used to disable CSP on specific handler registration in tests. |
|
plugins/csp/internalunsafecsp/unsafestrictcsp
Package unsafestrictcsp can be used to disable Strict CSP protections on specific handler registration.
|
Package unsafestrictcsp can be used to disable Strict CSP protections on specific handler registration. |
|
plugins/csp/internalunsafecsp/unsafetrustedtypes
Package unsafetrustedtypes can be used to disable Trusted Types protections on specific handler registration.
|
Package unsafetrustedtypes can be used to disable Trusted Types protections on specific handler registration. |
|
plugins/fetchmetadata
Package fetchmetadata provides Fetch-Metadata based protections.
|
Package fetchmetadata provides Fetch-Metadata based protections. |
|
plugins/fetchmetadata/internalunsafefetchmetadata
Package internalunsafefetchmetadata is used internally to override FM policies.
|
Package internalunsafefetchmetadata is used internally to override FM policies. |
|
plugins/fetchmetadata/internalunsafefetchmetadata/unsafefetchmetadatafortests
Package unsafefetchmetadatafortests can be used to disable Fetch Metadata protections on specific handler registration in tests.
|
Package unsafefetchmetadatafortests can be used to disable Fetch Metadata protections on specific handler registration in tests. |
|
plugins/fetchmetadata/internalunsafefetchmetadata/unsaferesourcepolicy
Package unsaferesourcepolicy can be used to disable Fetch Metadata protections on specific handler registration.
|
Package unsaferesourcepolicy can be used to disable Fetch Metadata protections on specific handler registration. |
|
plugins/framing
Package framing provides utilities to install a comprehensive framing protection.
|
Package framing provides utilities to install a comprehensive framing protection. |
|
plugins/framing/internalunsafeframing
Package internalunsafeframing is used internally to override Framing protections.
|
Package internalunsafeframing is used internally to override Framing protections. |
|
plugins/framing/internalunsafeframing/unsafeframing
Package unsafeframing can be used to disable Framing protections on specific handler registration.
|
Package unsafeframing can be used to disable Framing protections on specific handler registration. |
|
plugins/framing/internalunsafeframing/unsafeframingfortests
Package unsafeframingfortests can be used to disable Framing protections on specific handler registration in tests.
|
Package unsafeframingfortests can be used to disable Framing protections on specific handler registration in tests. |
|
plugins/hostcheck
Package hostcheck provides a plugin that checks whether the request is intended to be sent to a given host.
|
Package hostcheck provides a plugin that checks whether the request is intended to be sent to a given host. |
|
plugins/hsts
Package hsts provides HTTP Strict Transport Security.
|
Package hsts provides HTTP Strict Transport Security. |
|
plugins/htmlinject
Package htmlinject provides utilities to pre-process HTML templates and inject additional parts into them before parsing.
|
Package htmlinject provides utilities to pre-process HTML templates and inject additional parts into them before parsing. |
|
plugins/reportingapi
Package reportingapi is an implementation of the Report-To header described in https://www.w3.org/TR/reporting/#header.
|
Package reportingapi is an implementation of the Report-To header described in https://www.w3.org/TR/reporting/#header. |
|
plugins/staticheaders
Package staticheaders provides a safehttp.Interceptor which sets security sensitive headers on every response.
|
Package staticheaders provides a safehttp.Interceptor which sets security sensitive headers on every response. |
|
plugins/xsrf
Package xsrf contains helper functions for the safehttp.Interceptor that provide protection against Cross-Site Request Forgery attacks.
|
Package xsrf contains helper functions for the safehttp.Interceptor that provide protection against Cross-Site Request Forgery attacks. |
|
plugins/xsrf/xsrfangular
Package xsrfangular provides a safehttp.Interceptor that ensures Cross-Site Request Forgery protection for Angular applications by verifying the incoming requests, rejecting those requests that are suspected to be part of an attack.
|
Package xsrfangular provides a safehttp.Interceptor that ensures Cross-Site Request Forgery protection for Angular applications by verifying the incoming requests, rejecting those requests that are suspected to be part of an attack. |
|
plugins/xsrf/xsrfhtml
Package xsrfhtml provides a safehttp.Interceptor that ensures Cross-Site Request Forgery by verifying the incoming requests for the presence of an XSRF token, rejecting those requests that are suspected to be part of an attack.
|
Package xsrfhtml provides a safehttp.Interceptor that ensures Cross-Site Request Forgery by verifying the incoming requests for the presence of an XSRF token, rejecting those requests that are suspected to be part of an attack. |
|
restricted
Package restricted contains restricted APIs.
|
Package restricted contains restricted APIs. |
|
safehttptest
Package safehttptest provides utilities for testing safehttp.Handler:s and safehttp.Interceptor:s.
|
Package safehttptest provides utilities for testing safehttp.Handler:s and safehttp.Interceptor:s. |
|
Package safesql implements a safe version of the standard sql package while trying to keep the API as similar as possible to the original one.
|
Package safesql implements a safe version of the standard sql package while trying to keep the API as similar as possible to the original one. |
|
internal/raw
Package raw is used to provide a bypass mechanism to implement unchecked and legacy conversions packages.
|
Package raw is used to provide a bypass mechanism to implement unchecked and legacy conversions packages. |
|
legacyconversions
Package legacyconversions provides functions to create values of package safesql types from plain strings.
|
Package legacyconversions provides functions to create values of package safesql types from plain strings. |
|
uncheckedconversions
Package uncheckedconversions provides functions to create values of package safesql types from plain strings.
|
Package uncheckedconversions provides functions to create values of package safesql types from plain strings. |
Click to show internal directories.
Click to hide internal directories.