Security
Security middleware presets
security is an HTTP security middleware chain. It combines recover, request id, real IP, access log, body limit, timeout, helmet, and other middleware into one chain.
Install
go get github.com/duxweb/runa/security
Quick usage
app.Install(route.Provider(route.Addr(":8080")))
route.Default().Use(security.New(security.Production()))
Development environment:
route.Default().Use(security.New(security.Development()))
Options
route.Default().Use(security.New(
security.Production(),
security.BodyLimit("2MB"),
security.Timeout(30*time.Second),
security.TrustedProxies("127.0.0.1"),
security.SkipPaths("/health", "/metrics"),
))
Skip some requests
route.Default().Use(security.New(security.Next(func(ctx *route.Context) bool {
return ctx.Request().URL.Path == "/health"
})))
Disable individual middleware
route.Default().Use(security.New(security.Disable("logger", "helmet")))
Disable names: recover, requestid, realip, logger, bodylimit, timeout, helmet.
Common mistakes
Expecting Security to include CORS
Security does not include CORS because CORS depends on the frontend origin and credential strategy. Configure CORS explicitly.
Missing TrustedProxies behind a gateway
Production preset clears trusted proxies. If the app runs behind Nginx, CDN, or Ingress, configure TrustedProxies explicitly.
Disabling recover in production
If you disable recover, panics may be handled by the HTTP server directly. Keep recover enabled unless you have another panic strategy.
API quick reference
security.New(options...)creates security middleware.security.Development()applies development defaults.security.Production()applies production defaults.security.BodyLimit(value)sets the request body limit.security.Timeout(duration)sets the request timeout.security.TrustedProxies(values...)sets trusted proxies.security.Disable(names...)disables named middleware.
More complete middleware docs are available in Security Preset.