DEV Community

Athreya aka Maneshwar
Athreya aka Maneshwar

Posted on • Edited on

API Security Best Practices with Go

#webdev #programming #go #beginners

Hello, I'm Maneshwar. I'm building git-lrc, an AI code reviewer that runs on every commit. It is free, unlimited, and source-available on Github. Star Us to help devs discover the project. Do give it a try and share your feedback for improving the product.

Securing your API is non-negotiable. Whether you're building public or inter
nal service
s, unprotected endpoints can expose your system to data theft, misuse, or even total compromise.

This guide outlines essential API security principles, with practical Go code snippets using the Echo web framework where applicable.

1. Use Proper HTTP Methods

Only allow HTTP methods appropriate for each endpoint. Respond with 405 Method Not Allowed for disallowed methods.

e := echo.New()

// Proper usage
e.GET("/users/:id", getUser)
e.POST("/users", createUser)
e.PUT("/users/:id", updateUser)
e.DELETE("/users/:id", deleteUser)

// Middleware to handle unsupported methods
e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c echo.Context) error {
        allowedMethods := map[string][]string{
            "/users":     {"POST"},
            "/users/:id": {"GET", "PUT", "DELETE"},
        }
        route := c.Path()
        method := c.Request().Method

        for path, methods := range allowedMethods {
            if echo.NewRouter().Find(method, path, c) != nil {
                return next(c)
            }
            if path == route {
                return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method Not Allowed")
            }
        }
        return next(c)
    }
})
Enter fullscreen mode Exit fullscreen mode

2. Content-Type Validation

Validate the Content-Type header. Expect application/json for JSON APIs.

e.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c echo.Context) error {
        if c.Request().Method == http.MethodPost || c.Request().Method == http.MethodPut {
            if c.Request().Header.Get(echo.HeaderContentType) != echo.MIMEApplicationJSON {
                return echo.NewHTTPError(http.StatusUnsupportedMediaType, "Only application/json allowed")
            }
        }
        return next(c)
    }
})
Enter fullscreen mode Exit fullscreen mode

3. Validate User Input

Use input validation to prevent injection attacks and ensure data integrity.

type CreateUserInput struct {
    Name  string `json:"name" validate:"required,min=3"`
    Email string `json:"email" validate:"required,email"`
}

func createUser(c echo.Context) error {
    var input CreateUserInput
    if err := c.Bind(&input); err != nil {
        return echo.NewHTTPError(http.StatusBadRequest, "Invalid request")
    }

    if err := c.Validate(&input); err != nil {
        return echo.NewHTTPError(http.StatusBadRequest, err.Error())
    }

    // Proceed safely
    return c.JSON(http.StatusOK, map[string]string{"status": "user created"})
}
Enter fullscreen mode Exit fullscreen mode

To enable validation:

import "github.com/go-playground/validator/v10"

type CustomValidator struct {
    validator *validator.Validate
}

func (cv *CustomValidator) Validate(i interface{}) error {
    return cv.validator.Struct(i)
}

e.Validator = &CustomValidator{validator: validator.New()}
Enter fullscreen mode Exit fullscreen mode

4. Use Authorization Header for Tokens

Tokens should be sent in the standard Authorization: Bearer <token> header—not in query parameters.

func tokenAuthMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
    return func(c echo.Context) error {
        auth := c.Request().Header.Get("Authorization")
        if auth == "" || !strings.HasPrefix(auth, "Bearer ") {
            return echo.NewHTTPError(http.StatusUnauthorized, "Missing or invalid Authorization header")
        }

        token := strings.TrimPrefix(auth, "Bearer ")
        if !validateToken(token) {
            return echo.NewHTTPError(http.StatusUnauthorized, "Invalid token")
        }

        return next(c)
    }
}
Enter fullscreen mode Exit fullscreen mode

Avoid this:

GET /api/data?token=abc123  ❌
Enter fullscreen mode Exit fullscreen mode

5. Avoid Client-Side Encryption

Don’t rely on client-side encryption for sensitive data. Encrypt on the server side using robust libraries.

// Example: AES encryption
func encryptAES(plaintext, key string) (string, error) {
    block, err := aes.NewCipher([]byte(key))
    if err != nil {
        return "", err
    }
    plaintextBytes := []byte(plaintext)
    ciphertext := make([]byte, aes.BlockSize+len(plaintextBytes))
    iv := ciphertext[:aes.BlockSize]
    if _, err := io.ReadFull(rand.Reader, iv); err != nil {
        return "", err
    }
    stream := cipher.NewCFBEncrypter(block, iv)
    stream.XORKeyStream(ciphertext[aes.BlockSize:], plaintextBytes)
    return base64.URLEncoding.EncodeToString(ciphertext), nil
}
Enter fullscreen mode Exit fullscreen mode

Keep keys and secrets on the server, never in the client-side code.

6. Use an API Gateway

Use tools like Kong, Traefik, or AWS API Gateway for enhanced security features:

  • JWT validation
  • IP whitelisting
  • Rate limiting
  • Request logging
  • TLS termination

Example: Kong Rate Limiting (declarative config) 

services:
  - name: my-api
    url: http://myapi:8000
    routes:
      - name: my-api-route
        paths:
          - /v1/
        plugins:
          - name: rate-limiting
            config:
              minute: 100
              policy: local
Enter fullscreen mode Exit fullscreen mode

Final Tips

  • Always use HTTPS (TLS) to encrypt data in transit.
  • Enable logging and alerting for abnormal traffic.
  • Keep dependencies updated to patch known vulnerabilities.
  • Run security headers like X-Content-Type-Options: nosniff.

TL;DR Checklist

Security Feature Status
Proper HTTP methods
Content-Type validation
Input validation
Token via Authorization
No client-side encryption
API gateway used

API security is not a luxury — it’s a baseline. Build secure by default, and save yourself from firefighting later.

git-lrc
*AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.

git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.*

Any feedback or contributors are welcome! It's online, source-available, and ready for anyone to use.

⭐ Star it on GitHub:

GitHub logo HexmosTech / git-lrc

Free, Unlimited AI Code Reviews That Run on Commit



AI agents write code fast. They also silently remove logic, change behavior, and introduce bugs -- without telling you. You often find out in production.

git-lrc fixes this. It hooks into git commit and reviews every diff before it lands. 60-second setup. Completely free.

See It In Action

See git-lrc catch serious security issues such as leaked credentials, expensive cloud operations, and sensitive material in log statements

git-lrc-intro-60s.mp4

Why

  • 🤖 AI agents silently break things. Code removed. Logic changed. Edge cases gone. You won't notice until production.
  • 🔍 Catch it before it ships. AI-powered inline comments show you exactly what changed and what looks wrong.
  • 🔁 Build a
View on GitHub

Top comments (0)