Recipe - Security Hardening
Security-first middleware and route policy patterns for Kern APIs, including auth, CSRF, header limits, and request guards.
Security Hardening
Use this recipe to harden public-facing APIs.
Baseline middleware
app.Use(kern.Recovery())
app.Use(kern.CORS([]string{"https://app.example.com"}))
app.Use(middleware.SecurityHeaders())
app.Use(middleware.HeaderLimits(middleware.HeaderLimitsConfig{
MaxHeaderCount: 80,
MaxHeaderBytes: 12 * 1024,
}))Protect admin/API groups
admin := app.Group("/admin")
admin.Use(kern.BasicAuth("admin", "change-me"))
api := app.Group("/api")
api.Use(middleware.JWT(middleware.JWTConfig{Secret: []byte("replace-me")}))Browser session routes
web := app.Group("/web")
web.Use(middleware.Session(middleware.SessionConfig{SigningKey: []byte("replace-me")}))
web.Use(middleware.CSRF())Route policy enforcement
app.AddConstraints("POST", "/upload", kern.Constraints{
Validate: middleware.RequestGuard(middleware.RequestGuardConfig{
MaxBodyBytes: 8 << 20,
RequireBody: true,
RequireHeaders: []string{"X-Tenant"},
AllowContentTypes: []string{"application/json", "multipart/form-data"},
}),
}, uploadHandler)