Building Web Apps in Go

The lack of example code in the security section should be a worry to all.<p>It isn&#x27;t hard to prevent SQL injection if you use parameterized SQL statement rather than using string concat, and whilst examples of this are trivial they shouldn&#x27;t be skipped.<p>In the XSS section it mentions filtering and checking inputs, but does not mention sanitization and does not give any examples. In the aversion to use any non-standard package it also does not mention <a href="https:&#x2F;&#x2F;github.com&#x2F;microcosm-cc&#x2F;bluemonday" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;microcosm-cc&#x2F;bluemonday</a> or anything similar (I am the author of bluemonday - a HTML sanitizer in the same vein as the OWASP Java HTML Sanitizer).<p>There is some sample code, in the Filtering section, but this only demonstrates the use of a fixed range of inputs in determining a filter, and then a regexp to check the input matches a format.<p>Beyond the security, where the theory is at least known even if a demonstration on how to implement it is lacking... the entire guide misses out on demonstrating templates to their fullest, and specifically using a map of functions to provide the equivalent of Django&#x27;s TemplateTags.<p>In fact, the missing link for most Go developers who are building web apps, and for those coming from outside Go, are template tags. Most Go devs I know (who seem more systems focused) don&#x27;t even realise that this stuff exists: <a href="https:&#x2F;&#x2F;golang.org&#x2F;src&#x2F;text&#x2F;template&#x2F;examplefunc_test.go" rel="nofollow">https:&#x2F;&#x2F;golang.org&#x2F;src&#x2F;text&#x2F;template&#x2F;examplefunc_test.go</a>

This seems pretty good. Two huge red flags in my skimming:<p>1. The password storage section where it gives MD5 as an option. MD5 should <i>never</i> be an option, not even in a simple testing &#x2F; prototype application.<p>2. It actually calls base64 encoding encryption &#x2F; decryption. This is really <i>dangerous</i> and outright <i></i><i>wrong</i><i></i>.<p>So if you ignore security related sections this guide overall seems good.

The security section, specifically on encryption, is dangerously misleading. It really needs an overhaul.<p>To start with - DES is broken, you cannot use it. It also totally blasts over important details like -not re-using the same IV- for AES. Really, it should be updated to use a better higher-level general purpose encrypt&#x2F;decrypt library, which handles all the happy primitives in a way that you can&#x27;t shoot yourself in the foot.<p>As for &#x27;base64&#x27; being a good encryption algorithm? All the nopes &amp; I can&#x27;t evens.<p>The password stuff is pretty bad too. IDK, needs a re-write.

I&#x27;m so conflicted by Go. If I want to write a website quickly, I&#x27;d use Python. If I were concerned about performance, I have Java. I write my systems stuff in C++ (Rust now). Is there a compelling reason for me to even learn Go? Is it better than Java in some measurable way? Should I take the time to learn it? Honestly curious.

Over the previous few weeks, I&#x27;ve seen multiple projects including one internal project drop Go. There was the widely publicized story [1] where Dropbox was switching from Go to Rust. More recently one of our backend engineers who built a prototype in Go told us that they pulled all of the GoLang code out in favor of C++&#x2F;Python citing a huge overhead (I don&#x27;t remember if it&#x27;s CPU or Memory footprint). I know a lot of people are touting the concurrency model, but I&#x27;ve seen so many technical analysis of unfavorable technical analysis of Go that I&#x27;m starting to question whether I should learn Go or invest my time learning something else?<p>[1] - <a href="http:&#x2F;&#x2F;www.wired.com&#x2F;2016&#x2F;03&#x2F;epic-story-dropboxs-exodus-amazon-cloud-empire&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.wired.com&#x2F;2016&#x2F;03&#x2F;epic-story-dropboxs-exodus-amaz...</a>

Looks like a great contribution to the community. Major props for freely releasing it.<p>Most of the Go references that I tend to come across tend to focus on code, concurrency and API&#x27;s without much attention to the full stack web app side. This definitely helps to fill that gap in the community.<p>Just flipping through the contents and skimming the chapters, the IDE section alone is really impressive.

This book is open source: <a href="https:&#x2F;&#x2F;github.com&#x2F;astaxie&#x2F;build-web-application-with-golang&#x2F;tree&#x2F;master&#x2F;en" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;astaxie&#x2F;build-web-application-with-golang...</a><p>To those with suggestions related to e.g. security pratices, step up and contribute!

Sad to see things haven&#x27;t changed much on the sql front. Many web apps don&#x27;t care about performance for the language, since the cost of querying the db will be orders of magnitudes higher anyway. What they want is a simple one liner to persist object graphs into a DB, because 90% of the code will be glue code around insert from json, and select to json types of features ( i&#x27;m talking list &amp; forms types of web apps, not the fancy video chat over webrtc demo).<p>The fact that this books advertize &quot;build your own orm&quot; solution, with the one given not even able to select 1-many objects makes me really wonder how in the world one could recommend go for web apps.<p>Ps: to get a benchmark on what is the current level of productivity expected today for enterprise-like web apps, just have a look at a loopback.io demo. Yes, it&#x27;s node.js which sucks, but you have to admit that we&#x27;re pretty far away from manually mapping result columns to struct properties.

Needs much of the proofreading. I&#x27;m arrays\slices part, and there are a couple of mistakes already<p>Like<p>&#x2F;&#x2F; define a slice with 10 elements whose types are bytes var ar = [10]byte {&#x27;a&#x27;, &#x27;b&#x27;, &#x27;c&#x27;, &#x27;d&#x27;, &#x27;e&#x27;, &#x27;f&#x27;, &#x27;g&#x27;, &#x27;h&#x27;, &#x27;i&#x27;, &#x27;j&#x27;}

I find Go to be a concise and productive language for computing infrastructure applications, but struggle to apply it to problems with complex domains in business and industry.<p>For those, other languages like Java and C# that better support encapsulation and data&#x2F;information hiding for the modeling of real-world concepts remain suited.<p>I think the problem with a lot of language discussions is really about the need for many to find the &quot;one true ring&quot; that can be learned and applied everywhere.<p>Instead, a polyglot approach surely is the best one?

Another project that was posted on HN se months back: <a href="http:&#x2F;&#x2F;go-bootstrap.io&#x2F;" rel="nofollow">http:&#x2F;&#x2F;go-bootstrap.io&#x2F;</a><p>I think it serves as a good example of how one can use go for webapp development.<p>With that said, after a year+ of writing go in my day to day job, I still gravitate towards dynamic languages for web application development and leave go for most systems programming tasks.

Offtopic: Is there any decent Go boilerplate for building API?

Are people who are using Go (for web apps) using it with Apache or Nginx? Or is every go app just using a DIY server? I&#x27;m genuinely curious

In multiple languages even. Very cool : )

There&#x27;s so much good content here, but it&#x27;s also very surprising how much of it is truly a &quot;roll-your-own and hope you get it right&quot; approach.<p>If you have to write explicit code in each of your postbacks to check a CSRF token, it&#x27;s going to happen that not all your posts will end up being protected. If you have to hand-build SQL queries, it&#x27;s going to happen that you&#x27;ll have injection vulnerabilities. If you are manually generating and signing cookies, and having to write explicit code to sign them and check signatures... These are all features that should be done in a core library which makes sure these things happen all the time, not just when you remember to, what, copy&#x2F;paste the code into each of your functions to do it?<p>There&#x27;s the overall structure of the code, which seems like it would quickly devolve into chaos. Looking at Section 4.4 there&#x27;s a &#x27;login&#x27; function which handles rendering the GET as well as processing the POST just by if&#x2F;else on r.Method. You wouldn&#x27;t want to actually structure a code-base like this, right? Later on, they do show a &#x27;Beego&#x27; based router, which seems a bit more sane, but I&#x27;m really not a fan of &#x27;showing the wrong way first&#x27; as a learning tool.<p>The particular techniques being used seem very home-grown and not particularly best practice. To prevent double-submit they add a hidden field with token=MD5(time.Now) and also save it to &quot;a session cookie on the server side&quot;? Not quite sure what that means, but I think it&#x27;s trying to say save the token on the back-end linked to the session, and then verify a POST, from that page, on that session, has that token. And then presumably clean up the storage... The majority of which is not actually coded in the example, making it just a high level roadmap of what you could do, not a practical working starting point. But anyway, if your goal is to prevent multiple POSTs per GET, and you already have a transactional session state for the user, then you do it with a server-side counter, not a hidden field, and certainly not a &quot;obfuscated&quot; MD5(time.Now). Even if you have no session state, then the simple answer is to create session state, not to create another token which does exactly the same thing as session state, but in a completely insecure manor.<p>So overall I have a ton of respect for the work that was put into this document, it tries to cover a lot of material and is very easy to read. But I think the details also matter and 1) I can&#x27;t believe this is idiomatic Go for how to actually route and manage requests, and 2) the entire proposed tool-set for actual secure processing of Sessions, SQL, CSRF, XSS, etc. seems to be totally home-grown and not at all production ready.

I would expect something like Go On Rails (no pun intended). That&#x27;s where history repeats.

Note, in the IDE section: LiteIDE has gocode bundled, and in most cases, you can leave the GOROOT and such alone. I have yet to need to change it on either linux or windows.

What&#x27;s the current state of web frameworks for Go? Is there something similar to Django or Rails out or in development?

The author is the maker of Beego

development time and performance that is only slightly slower to write than Python

The vim section is obsolote. There is no `misc&#x2F;vim` anymore.

Great book. Thanks

This is amazing!!

thanks for sharing

I&#x27;ve got to be honest, when these language shootouts come up (and it feels like I&#x27;ve read a lot of them this week), it reminds me why I&#x27;m pretty happy working in C#. I&#x27;ve got great tooling, generally good libraries, a pretty decent core language, and generally, shit just works so I can <i>get shit done.</i><p>Is it super sexy, no. Does it win me Internet Geek Points™, no. It&#x27;s pretty much still Windows-only, but fine, that&#x27;s the world I live in. The foot-guns are relatively small-caliber, and I&#x27;ve learned enough to avoid pointing most of them. I can do OOP, I can do functional (maybe not super pure ivory-tower monad&#x2F;ADT&#x2F;pattern-matching sorcery, but whatever - still have F# on my todo-list...), I can write straight procedural code if I really wanted to. I&#x27;ve even got a REPL and can use it as a scripting language.<p>Plus, I have generics :-)