# Protection Mechanism Failure (CWE-693)

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

**Stack:** Go

- Prevalence: High Frequently exploited
- Impact: High 1 high-severity rules
- Prevention: Documented 8 fix examples

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

This weakness covers three distinct situations: Missing a protection mechanism, using a faulty protection mechanism, or incorrectly applying a protection mechanism. A missing protection mechanism occurs when the application does not defend against a specific attack. A faulty protection mechanism occurs when the application does defend against a specific attack, but the protection mechanism is not implemented correctly.

## Prevention

Prevention strategies for Protection Mechanism Failure based on 6 Shoulder detection rules.

### Go

Add security headers middleware to Chi router

Add Echo Secure middleware to set security HTTP headers

Add Fiber Helmet middleware to set security HTTP headers

## Warning Signs

- [MEDIUM] Gin application missing security headers middleware
- [MEDIUM] Application lacks important security headers

## Consequences

- Bypass Protection Mechanism
- Execute Unauthorized Code
- Gain Privileges

## Mitigations

- Implement multiple layers of security (defense in depth)
- Use industry-standard, tested security mechanisms rather than custom implementations
- Ensure protection mechanisms cannot be bypassed or disabled

## Detection

- Total rules: 8
- Languages: dockerfile, go, javascript, typescript

## Rules by Language

### Go (6 rules)

- **Chi Missing Security Headers** [MEDIUM]: Chi application missing security HTTP headers middleware.
  - Remediation: Add security headers via middleware.

```go
r := chi.NewRouter()
r.Use(func(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("X-Content-Type-Options", "nosniff")
        next.ServeHTTP(w, r)
    })
})
```

Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers
- **Echo Missing Security Headers** [MEDIUM]: Echo application missing security HTTP headers middleware.
  - Remediation: Add Secure middleware to set security headers.

```go
e := echo.New()
e.Use(middleware.Secure())
```

Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers
- **Fiber Missing Security Headers** [MEDIUM]: Fiber application missing security HTTP headers middleware.
  - Remediation: Add Helmet middleware to set security headers.

```go
import "github.com/gofiber/fiber/v2/middleware/helmet"

app := fiber.New()
app.Use(helmet.New())
```

Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers
- **Gin Missing Security Headers** [MEDIUM]: Gin application missing security HTTP headers middleware.
  - Remediation: Add security headers middleware using gin-secure.

```go
import "github.com/gin-contrib/secure"

r := gin.Default()
r.Use(secure.New(secure.DefaultConfig()))
r.Run(":8080")
```

Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers
- **Gorilla Missing Security Headers** [MEDIUM]: Gorilla Mux application missing security HTTP headers middleware.
  - Remediation: Add security headers via middleware.

```go
r := mux.NewRouter()
r.Use(func(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("X-Content-Type-Options", "nosniff")
        next.ServeHTTP(w, r)
    })
})
```

Learn more: https://shoulder.dev/learn/go/cwe-693/helmet-headers
- **Missing HTTP Security Headers** [MEDIUM]: HTTP responses lack security headers like X-Frame-Options or Content-Security-Policy.
  - Remediation: Add security headers in middleware applied to all routes.

```go
func securityHeaders(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("X-Frame-Options", "DENY")
        w.Header().Set("X-Content-Type-Options", "nosniff")
        w.Header().Set("Content-Security-Policy", "default-src 'self'")
        next.ServeHTTP(w, r)
    })
}
```

Learn more: https://shoulder.dev/learn/go/cwe-693/missing-security-headers