Documentation Index
Fetch the complete documentation index at: https://docs.go-mizu.dev/llms.txt
Use this file to discover all available pages before exploring further.
Mizu automatically applies security headers to protect your frontend from common web vulnerabilities.
The frontend middleware adds these headers:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options
Purpose: Prevents MIME-sniffing attacks
X-Content-Type-Options: nosniff
X-Frame-Options
Purpose: Prevents clickjacking
X-Frame-Options: SAMEORIGIN
X-XSS-Protection
Purpose: Legacy XSS protection
X-XSS-Protection: 1; mode=block
Referrer-Policy
Purpose: Controls referrer information
Referrer-Policy: strict-origin-when-cross-origin
import "github.com/go-mizu/mizu/middlewares/helmet"
app.Use(helmet.Default())
app.Use(frontend.WithOptions(frontend.Options{
SecurityHeaders: false, // Avoid duplicates
}))
Content Security Policy (CSP)
Use the helmet middleware for CSP:
app.Use(helmet.WithOptions(helmet.Options{
ContentSecurityPolicy: &helmet.CSPOptions{
Directives: map[string][]string{
"default-src": {"'self'"},
"script-src": {"'self'", "'unsafe-inline'"}, // Vite needs unsafe-inline in dev
"style-src": {"'self'", "'unsafe-inline'"},
"img-src": {"'self'", "data:", "https:"},
"font-src": {"'self'"},
},
},
}))
CSP with Vite
Vite uses inline scripts in development. Production build should work without unsafe-inline:
func getCSP(env string) *helmet.CSPOptions {
directives := map[string][]string{
"default-src": {"'self'"},
"script-src": {"'self'"},
"style-src": {"'self'"},
}
if env != "production" {
directives["script-src"] = append(directives["script-src"], "'unsafe-inline'")
directives["style-src"] = append(directives["style-src"], "'unsafe-inline'")
}
return &helmet.CSPOptions{Directives: directives}
}
HTTPS Enforcement
Use the secure middleware:
import "github.com/go-mizu/mizu/middlewares/secure"
app.Use(secure.WithOptions(secure.Options{
SSLRedirect: true, // Redirect HTTP to HTTPS
}))
CORS Configuration
For API endpoints:
import "github.com/go-mizu/mizu/middlewares/cors"
app.Use(cors.WithOptions(cors.Options{
AllowedOrigins: []string{"https://yourdomain.com"},
AllowedMethods: []string{"GET", "POST", "PUT", "DELETE"},
AllowedHeaders: []string{"Content-Type", "Authorization"},
}))
Source Map Protection
Block source maps in production:
app.Use(frontend.WithOptions(frontend.Options{
SourceMaps: false, // Default in production
}))
Best Practices
1. Use HTTPS
Always use HTTPS in production:
app.Use(secure.Default())
2. Set CSP
Implement Content Security Policy:
app.Use(helmet.Default())
import "html"
func handleComment(c *mizu.Ctx) error {
comment := c.FormValue("comment")
sanitized := html.EscapeString(comment) // Escape HTML
// Save sanitized...
}
// React escapes by default
<div>{userInput}</div> // Safe
// Dangerous:
<div dangerouslySetInnerHTML={{__html: userInput}} /> // Unsafe!
4. Validate on Server
Never trust client-side validation:
func createUser(c *mizu.Ctx) error {
email := c.FormValue("email")
// Validate server-side
if !isValidEmail(email) {
return c.JSON(400, map[string]string{"error": "invalid email"})
}
// Create user...
}
5. Use HTTP-Only Cookies
For authentication tokens:
http.SetCookie(c.Writer(), &http.Cookie{
Name: "auth_token",
Value: token,
HttpOnly: true, // Not accessible via JavaScript
Secure: true, // HTTPS only
SameSite: http.SameSiteStrictMode,
})
6. Rate Limit API Endpoints
import "github.com/go-mizu/mizu/middlewares/ratelimit"
app.Use(ratelimit.PerMinute(100))
Security Checklist
Next Steps
Helmet Middleware
Comprehensive security headers
CORS Middleware
Cross-origin resource sharing
Rate Limiting
Protect against abuse