Note
Segment has paused maintenance on this project, but may return it to an active status in the future. Issues and pull requests from external contributors are not being considered, although internal contributions may appear from time to time. The project remains available under its open source license for anyone to use.
Home of code related to security of network systems.
As we grow as a product and a company we have increasing needs to build secure
network services. This can be quite a challenging task as security issues can be
hard to anticipate and often depend on complex interactions in distributed
systems. The netsec package contains code which helps build and maintain
secure Go applications.
A common problem that services face is preventing unauthorized access to private networks. This often comes up when the public endpoints of those services are configured dynamically (like a webhook for example).
The netsec package helps protect against malicious use of those kinds of
applications by providing a decorator for the typical dial functions used to
establish network connections, which can be configured to allow or deny certain
IP network ranges.
Here is an example of how a program can leverage the netsec package to prevent
HTTP requests from going to private network addresses:
import (
"net/http"
"github.com/segmentio/netsec"
)
func init() {
t := http.DefaultTransport.(*http.Transport)
// Modifies the dial function used by the default http transport to deny
// requests that would reach private IP addresses.
t.DialContext = netsec.RestrictedDial(t.DialContext,
netsec.Denylist(netsec.PrivateIPNetworks),
)
}