We release patches for security vulnerabilities. Currently, the following versions are supported:

Note: Fox is currently in beta. While we take security seriously, please be aware that the API may change and the framework is not yet recommended for production use.

We take the security of Fox seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• DO NOT open a public GitHub issue for security vulnerabilities
• DO NOT disclose the vulnerability publicly until we've had a chance to address it
• DO NOT exploit the vulnerability for malicious purposes

Report security vulnerabilities by email to: miclle.zheng@gmail.com

Please include the following information in your report:

• Type of vulnerability (e.g., XSS, SQL Injection, DoS, etc.)
• Full paths of source file(s) related to the vulnerability
• The location of the affected source code (tag/branch/commit or direct URL)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the vulnerability, including how an attacker might exploit it

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
• Assessment: We will assess the vulnerability and determine its severity within 5 business days
• Updates: We will keep you informed of our progress
• Fix: We aim to release a fix within:
  • Critical vulnerabilities: 7 days
  • High severity: 14 days
  • Medium/Low severity: 30 days
• Credit: With your permission, we will credit you in the release notes and CHANGELOG

When using Fox in your applications, we recommend following these security best practices:

Always validate and sanitize user input:

type UserInput struct {
    Username string `json:"username" binding:"required,alphanum,min=3,max=20"`
    Email    string `json:"email" binding:"required,email"`
}

// Use custom validators for complex rules
func (u *UserInput) IsValid() error {
    // Additional validation logic
    return nil
}

Always use HTTPS in production:

// Use TLS configuration
server := &http.Server{
    Addr:    ":443",
    Handler: engine,
    TLSConfig: &tls.Config{
        MinVersion: tls.VersionTLS12,
    },
}
server.ListenAndServeTLS("cert.pem", "key.pem")

Don't use wildcard origins in production:

// BAD - Don't do this in production
engine.CORS(cors.Config{
    AllowOrigins: []string{"*"},
})

// GOOD - Specify allowed origins
engine.CORS(cors.Config{
    AllowOrigins: []string{"https://example.com"},
    AllowMethods: []string{"GET", "POST"},
    AllowHeaders: []string{"Origin", "Content-Type"},
})

Use security headers to protect against common attacks:

engine.Use(func(ctx *fox.Context) {
    ctx.Writer.Header().Set("X-Content-Type-Options", "nosniff")
    ctx.Writer.Header().Set("X-Frame-Options", "DENY")
    ctx.Writer.Header().Set("X-XSS-Protection", "1; mode=block")
    ctx.Writer.Header().Set("Strict-Transport-Security", "max-age=31536000")
    ctx.Next()
})

Protect against large payload attacks:

// Set max request body size
http.MaxBytesReader(w, r.Body, 10*1024*1024) // 10MB limit

Implement rate limiting to prevent abuse:

// TODO: Fox will provide built-in rate limiting middleware
// For now, use external packages or implement custom middleware

Don't expose sensitive information in error messages:

// BAD - Exposes internal details
return httperrors.InternalServerError(
    "Database connection failed: " + err.Error(),
)

// GOOD - Generic error message for client
return httperrors.InternalServerError(
    "An error occurred processing your request",
)

• Always use strong password hashing (e.g., bcrypt, argon2)
• Implement proper session management
• Use CSRF tokens for state-changing operations
• Validate permissions on every protected endpoint

• Log security-relevant events
• Don't log sensitive information (passwords, tokens, PII)
• Monitor logs for suspicious activity

// Use structured logging
logger.WithFields(map[string]any{
    "user_id": userID,
    "action": "login_attempt",
    "ip": ctx.ClientIP(),
}).Info("User login")

• Regularly update dependencies
• Monitor for security advisories
• Use go list -m all | go run golang.org/x/vuln/cmd/govulncheck@latest

Fox is currently in beta. While we follow security best practices, the framework has not yet undergone:

• Independent security audit
• Extensive production testing
• Formal penetration testing

1. No built-in rate limiting: You must implement your own or use third-party middleware
2. No built-in CSRF protection: Implement your own CSRF middleware
3. No built-in request size limits: Configure at the HTTP server level
4. Limited security middleware: We're working on expanding security features

We're actively working on improving security features:

• Built-in rate limiting middleware
• CSRF protection middleware
• Security headers middleware (Helmet-style)
• Request size limiting middleware
• Formal security audit (planned for v1.0)
• Security documentation and examples
• Integration with security scanning tools

We'd like to thank the following individuals for responsibly disclosing security issues:

• (No reports yet)

• OWASP Top 10
• Go Security Best Practices
• Gin Security Best Practices

If you have questions about security that are not sensitive in nature, feel free to open a GitHub issue or discussion.

For security-sensitive questions or concerns, please email miclle.zheng@gmail.com.

Last updated: 2025-12-06