New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: add first-class Cross Site Request Forgery protection #42168
Comments
I think the general answer to "should the standard library be secure by default?" is "yes", but I also don't understand what particular changes you're suggesting :) Could you outline what changes you're thinking of? I'm ignoring the "stretch option" section for now, because I want to understand the core proposal first. |
Some options:
I'm also open to other suggestions, these are options that I've been pondering for a while and all have one main issue: people would need to know about them and adopt them. Protect current users without breakages or behavior changes would be hard and I can't find a reliable way to bring people on board with a new, safe, API without deprecating the old ones or offering a better set of features (e.g. point 3 above, if that offers something better than the other form fields/methods it could help drive adoption). What do you think? |
Doing something in http directly seems like a very significant step. Over on #42166, what did you have in mind as a new, less error-prone API? |
Ping @empijei. We really need a clearer proposal to evaluate. |
I'd be ok with fixing xsrftoken and linking it from the http package docs, it seems like the less invasive solution. My only concern is that it would not be picked up by many users. |
See #42166 (comment) |
Moving this to #42166 then. Thanks. |
Preface
While for other web vulnerabilities the go stdlib provide some quite hardened packages (html/template with autoescaping, net/http with a decent posture against smuggling, tls being easily enforced and older versions not used etc.) there is a lack of first-class support for CSRF protection, and CSRF is the second most prominent vulnerability in modern web applications.
The only bit of library that offers something related to it is x/net/xsrftoken, which is not well known, it is not advertised and it is in the "x" package.
The ecosystem has a proliferation of external packages that provide some form of protection against this vulnerability, so it looks like the current Go stance on this is that if users want to build a secure web application they have to rely on external libraries and frameworks (thus accepting a whole new kind of issues with supply chain attacks) or they have to understand how to build their own protections.
Proposal
I would like to propose to add a first-class supported XSRF protection mechanism in the standard library to address this issue.
Stretch option:
Since it feels to me like CSRF is not the only issue we might have to take care of, I would deem it appropriate to add a
security
sub-package tonet/http
(naming and location is open to discussion) to use to collect middleware and other utilities (e.g. creating servers with safe defaults).Go as it is right now almost delivers the full toolkit needed to build secure web applications, but it definitely has what is needed to build a web application, which constitutes a quite scary scenario.
The text was updated successfully, but these errors were encountered: