go-security-patterns-v1Certifiedv1.0.0

Go security patterns

Always-on secure coding patterns for Go (safe; no dependency edits).

Protects against

Rule body

# Go security patterns

Safe, always-on code patterns that reduce security risk without changing your dependency graph.

These rules use ONLY pattern-level verbs (ALWAYS/NEVER). They MUST NOT prescribe dependency upgrades.

### CVE-2024-24790 — safe patterns

- NEVER assume IPv6 addresses starting with :: are always safe without explicit validation.
- ALWAYS normalize and validate IP addresses before allowlist comparison.
- NEVER use library classification alone; validate each IP against your allowlist independently.
- ALWAYS reject or normalize IPv4-mapped IPv6 formats (::ffff:) in network requests.

### CVE-2023-39325 — safe patterns

- NEVER ignore or silently handle HTTP/2 RST_STREAM frames without rate limiting.
- ALWAYS implement per-connection limits on the rate of stream resets accepted.
- ALWAYS monitor and alert on abnormal patterns of stream reset activity.