I actually wrote a tool[0] to attack gorilla sessions that are mentioned at the bottom of this, and gave a talk on some security functions in Go.<p>The big take-aways from my talk. Go doesn't have a lot of unsafe functions.<p>HTMLTemplates package and exec package are very resistant to common web attacks, so much so that I had trouble writing vulnerable code to XSS and RCE<p>As for the tool that attacks Gorilla Sessions, I found a lot of people on github who were not initializing their session securely. Most people in the first 30 pages of github search were doing it wrong. This is most likely a pretty widespread issue. It seems they didn't realize this was an AES key...The blog post is not completely correct saying it will be used for an HMAC. It will...but it is also used as an AES key.<p>[0] <a href="https://github.com/steakejjs/G2B2" rel="nofollow">https://github.com/steakejjs/G2B2</a>