12. Security Basics

Apply secure defaults: validated inputs, safe crypto, token hygiene, and hardened transport.

Question: What is govulncheck and how does it fit into a secure development lifecycle?

Answer: govulncheck is an official Go tool that analyzes your codebase to find known vulnerabilities in the specific functions your code is actually calling.

Explanation: Unlike simple dependency checkers that flag any vulnerability in a dependency (even if you don't use the vulnerable part), govulncheck reduces noise by only reporting vulnerabilities in code paths that are reachable from your application. It should be integrated into CI/CD pipelines to catch security issues early.

Question: How do you prevent SQL injection and store passwords safely?

Answer: Use parameterized queries (?/$1) or ORM placeholders; never interpolate user input. Hash passwords with strong algorithms like bcrypt/scrypt/argon2 and a unique salt.

Explanation: Do not invent your own crypto. Use golang.org/x/crypto packages and set appropriate cost factors.

Question: What are JWT best practices?

Answer: Use short-lived access tokens, rotate and store signing keys securely, validate aud/iss/exp/nbf, and implement refresh tokens with revocation.

Explanation: Prefer asymmetric keys (RS256/ES256) in distributed systems. Avoid putting sensitive data in tokens; they are bearer credentials.

Question: How do you configure TLS securely?

Answer: Use tls.Config with modern cipher suites, enable HTTP/2, and set MinVersion (e.g., TLS 1.2+). Use Let's Encrypt/ACME automation.

Explanation: Enforce HSTS at the edge and prefer mTLS for internal service-to-service calls when appropriate.

Question: How do you address CSRF and CORS in APIs?

Answer: For browser-based stateful apps, use CSRF tokens and SameSite cookies. For APIs, configure CORS to only allow trusted origins/methods/headers.

Explanation: Avoid wildcard * in Access-Control-Allow-Origin for authenticated endpoints.