Code Room
Code reviewMediumcr-g042
Subject Auth bypassLevel Mid–Senior~25 minCommon in Security interviewsIndustries Software development

Question

Review this Go middleware that authenticates internal service-to-service calls with a shared API key.

What a strong answer looks like

Separate real bugs from style. Rank issues by severity, point at the root cause rather than the symptom, and suggest a concrete fix — specific and kind.

Talk through your review
Code to reviewgo
func requireAPIKey(next http.Handler) http.Handler {    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {        provided := r.Header.Get("X-Api-Key")        if provided == os.Getenv("INTERNAL_API_KEY") {            next.ServeHTTP(w, r)            return        }        http.Error(w, "forbidden", http.StatusForbidden)    })}
Run or narrate your approach, then ask the coach.