|
| 1 | +--- |
| 2 | +title: App and API Protection SDK for Go |
| 3 | +further_reading: |
| 4 | +- link: "https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec" |
| 5 | + tag: "Documentation" |
| 6 | + text: "Go Security API docs" |
| 7 | +- link: "/security/application_security/add-user-info/" |
| 8 | + tag: "Documentation" |
| 9 | + text: "Adding user information to traces" |
| 10 | +- link: 'https://github.com/DataDog/dd-trace-go' |
| 11 | + tag: "Source Code" |
| 12 | + text: 'Tracer source code' |
| 13 | +- link: "/security/application_security/troubleshooting" |
| 14 | + tag: "Documentation" |
| 15 | + text: "Troubleshooting App and API Protection" |
| 16 | +--- |
| 17 | + |
| 18 | +# SDK |
| 19 | + |
| 20 | +Sometimes, instrumenting your application automatically using [orchestrion][1] is not enough. |
| 21 | +That is why we offer an API under [github.com/DataDog/dd-trace-go/v2/appsec][2] for more flexibility and more features |
| 22 | +that would not always be available. |
| 23 | + |
| 24 | +## Preamble: errors |
| 25 | + |
| 26 | +The API is designed to return errors when something goes wrong, so you can handle them in your code. More specifically |
| 27 | +an error of type [`events.BlockingSecurityEvent`][3] will be returned when a blocking event occurs, such as a user being |
| 28 | +blocked or a request being blocked. |
| 29 | + |
| 30 | +**It is imperative to not write any response to the client when you receive a `BlockingEvent` error**, otherwise to are |
| 31 | +potentially sending sensitive information to an attacker. A helper called [`events.IsSecurityError`][4] is here to help |
| 32 | +this process. AAP SDK is designed to send a blocking response in your stead (by default, a HTTP 403) when a |
| 33 | +`BlockingSecurityEvent` is returned. Customizing this behaviour is possible, more available in |
| 34 | +the [Customize response to blocked requests][5] section. |
| 35 | + |
| 36 | +## HTTP Body Monitoring |
| 37 | + |
| 38 | +By default, a lot of Go HTTP Frameworks are not high level enough to provide parsed HTTP request & response bodies. |
| 39 | +This is why AAP SDK provides a way to monitor the HTTP request and response bodies manually: |
| 40 | + |
| 41 | +- [`appsec.MonitorRequestBody`][8] to monitor the request body. |
| 42 | +- [`appsec.MonitorHTTPResponseBody`][9] to monitor the response body. |
| 43 | + |
| 44 | +These functions will automatically block the current request if asked from Datadog's UI, and return a |
| 45 | +`BlockingSecurityEvent` error. |
| 46 | + |
| 47 | +## User tracking |
| 48 | + |
| 49 | +When a user logs in to your application, it is important to track this event for security purposes. |
| 50 | +The AAP offer a feature to [track and block login requests][1]. This feature is available under 2 functions: |
| 51 | + |
| 52 | +- [`appsec.TrackUserLoginSuccess`][2] to track a successful login event on your login endpoint. |
| 53 | +- [`appsec.TrackUserLoginFailure`][6] to track an attemped login event on your login endpoint. |
| 54 | +- [`appsec.SetUser`][7] use on all authenticated requests to report users to Datadog. |
| 55 | + |
| 56 | +These functions will automatically block the user if asked from Datadog's UI, and return a `BlockingSecurityEvent` |
| 57 | +error. |
| 58 | + |
| 59 | +## Business Logic Event Tracking |
| 60 | + |
| 61 | +User login success and failure are what is called [Business logic events][10] behind the scene which are events that |
| 62 | +are not directly related to security, but are important for security purposes. We offer the capability to track custom |
| 63 | +events using the [`appsec.TrackBusinessLogicEvent`][11] function. |
| 64 | + |
| 65 | +## Further Reading |
| 66 | + |
| 67 | +{{< partial name="whats-next/whats-next.html" >}} |
| 68 | + |
| 69 | +[1]: /security/application_security/how-it-works/add-user-info?tab=go#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability |
| 70 | +[2]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#TrackUserLoginSuccess |
| 71 | +[3]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec/events#BlockingSecurityEvent |
| 72 | +[4]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec/events#IsSecurityError |
| 73 | +[5]: /security/application_security/policies/#customize-protection-behavior |
| 74 | +[6]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#TrackUserLoginFailure |
| 75 | +[7]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#SetUser |
| 76 | +[8]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#MonitorParsedHTTPBody |
| 77 | +[9]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#MonitorHTTPResponseBody |
| 78 | +[10]: /security/application_security/policies/custom_rules/#business-logic-abuse-detection-rule |
| 79 | +[11]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#TrackCustomEvent |
0 commit comments