Please report security vulnerabilities privately by emailing the maintainer
listed on the repository's CODEOWNERS file or by opening a draft GitHub
security advisory under the repository's Security tab. Do not file
a public issue for suspected security problems.
Include, where possible:
- A description of the issue and its impact.
- Steps to reproduce (proof-of-concept code preferred).
- The affected version or commit SHA.
- Any suggested mitigation.
You should receive an acknowledgement within 72 hours. Please allow up to 30 days for a patched release before any public disclosure.
Gortex is pre-1.0. Only the latest minor release line (currently
v0.8.x-alpha) receives security fixes. Older lines are unsupported.
The framework ships with these hardening defaults (as of v0.8.0-alpha). Each can be tuned per application.
| Area | Default | Override |
|---|---|---|
| File serving | File(path) rejects any path with .. segments. |
Use FileFS(fsys, name) for user-supplied filenames. |
| Redirects | Redirect(code, url) accepts only same-origin paths starting with /. |
Write the Location header directly when an external redirect is required. |
| CORS | Default config allows * origins but not credentials. Combining * with AllowCredentials=true is rejected. |
CORSWithConfig returns an error on unsafe configs. |
| JSON body size | 1 MiB cap, enforced via http.MaxBytesReader. |
ParameterBinder.SetMaxJSONBodyBytes(n). |
| Dev error page | Redacts Authorization, Cookie, Set-Cookie, X-Api-Key, X-Auth-Token, X-CSRF-Token, Proxy-Authorization, and any query parameter whose name matches (?i)(token|password|secret|key|apikey|api_key|auth). |
Do not run the dev error page middleware in production. |
As of v0.8.0-alpha, pkg/auth.JWTService enforces the following:
- 32-byte minimum secret:
NewJWTServicereturns an error for secrets shorter than 32 bytes.pkg/config.Validate()also enforces this at config-load time so misconfiguration fails early. typclaim required: Every token now carries atypclaim ("access"or"refresh").ValidateTokenrejects any token whosetypis not"access"(including tokens issued by earlier versions that have notypclaim).ValidateRefreshTokenrejects anything whosetypis not"refresh". This prevents access and refresh tokens from being used interchangeably.- HS256 pinned: The key function rejects tokens signed with any algorithm other than HS256, closing the
none-algorithm and algorithm-confusion attack vectors.
Migration: tokens issued before v0.8.0-alpha carry no typ claim and will be rejected. Re-issue all tokens after upgrading.
DefaultContext.RealIP() resolves the client IP by inspecting, in order:
- The first value in the
X-Forwarded-Forheader. - The
X-Real-IPheader. http.Request.RemoteAddr(the TCP connection peer).
Risk: Steps 1 and 2 are header values set by the caller. If your server
is directly reachable from the internet (no reverse proxy), any client can
supply an arbitrary X-Forwarded-For value and impersonate any IP address.
Context.RealIP() does not validate the source of forwarding headers.
Rate-limit middleware: as of v0.8.0-alpha, the default KeyFunc in
GortexRateLimitConfig keys on the direct peer address (spoof-resistant)
unless TrustedProxies CIDRs are configured. Set TrustedProxies to the
CIDR ranges of your reverse proxy fleet to allow forwarding headers from
those peers only.
Recommended deployment:
- Always place Gortex behind a trusted reverse proxy (nginx, Caddy, a cloud load balancer, etc.).
- Configure the proxy to strip any client-supplied
X-Forwarded-Forheader before appending the real client IP. - Set
GortexRateLimitConfig.TrustedProxiesto your proxy CIDRs. - Do not expose the Gortex HTTP port directly to untrusted networks.
- For application logic that relies on
RealIP()for access control, supply a customKeyFuncinGortexRateLimitConfigthat uses authenticated identity (e.g., a verified JWT subject) rather thanc.RealIP().
Reporters are credited in the release notes of the version that fixes their finding, with their consent.