
Ask HN: Best Resource to learn web programming using Go? - sharmi
In goland, usage of frameworks for web dev is discouraged. The favored way seemsu to be to take the modules from the Go Standard Library and create your own webserver.<p>I would like to know which is the best resource to have an comprehensive understanding of web app development using Go. I have often used django for my previous projects. Django has some decent defaults in terms of handling security. So not having the safety net of a framework sometimes gives me the jitters.  How to handle security in Golang applications? Are there some established best practices or is it to be implemented by the developer?
======
wilsonfiifi
If you can afford it, grab a copy of "Go Web Programming" [0]. It's an
excellent place to start. From there you can ready more advanced blog articles
for more insight into particular ways to solve certain challenges you might
encounter. If you can't afford the book then sign up for "Safari books online"
[1], you'll get a 10 day account which should be enough time to go through the
book.

The reason I'm suggesting a book (and this one in particular) is because blogs
tend to give you a bird's eye view of the subject matter or go into depth on a
subsection. The above mentioned book will go into enough depth for you to
understand the nuances when doing web development with Go. If you've had any
experience with Flask then you should look into a framework like Echo [2] as
mentioned in other comments. There's nothing as polished as Django at the
moment so you'll have to pick the libraries yourself to make up your own
framework however a few worth mentioning are:

    
    
      1. Revel
      2. Buffalo
      3. Beego
    

You can also take a gander at "Awesome Go" [3] which lists some popular
libraries and frameworks used by the community.

Good luck

    
    
      [0] https://www.manning.com/books/go-web-programming
      [1] https://www.safaribooksonline.com/
      [2] https://echo.labstack.com/
      [3] https://github.com/avelino/awesome-go

~~~
jxub
Regarding the 1st book, Manning is offering a 50% discount today on all
offerings.

------
mdasen
I would look at something like Echo. It’s minimal, but it offers some niceties
over just using the standard library.

Ultimately, creating a web endpoint is just about parsing the request and
writing out a response. That’s not to say the in-between is easy or isn’t
easier with better tools. It’s just to note where the Go community sentiment
against frameworks is coming from. With either the standard library or Echo,
you’ll register a function with a route. The function will get a request
object similar to Django and then you’ll call “r.Write” with the response you
want to write out.

Of course, there are things like setting up your database connection that
Django does for you that you’ll now have to do yourself and Django does nicely
select some good tools. But Echo has add one to handle CSRF stuff and I think
will even get you an SSL cert.

I’m on my phone right now, but I can write more later if you’re interested.

~~~
sharmi
Hi mdasen,

I also looked at echo. There are also lots of discussions going on in go
forums about how some frameworks work well with Go's Contexts and others
don't. As a go newbie, it has kind of made me wary.

So any write up from real experience is a boon. Thank you. I will be glad get
your elaborate take. It will help me form a good understanding to build on.

------
JepZ
You might want to read: [https://blog.cloudflare.com/exposing-go-on-the-
internet/](https://blog.cloudflare.com/exposing-go-on-the-internet/)

Personally I use Go to build APIs and place some kind of UI client in front of
it (e.g. a static PWA). That way you don't have to use some Go specific
template engine and can focus on what it is best at.

------
tptacek
I don't know that I accept your premise. There are mainstream frameworks in
Go, and there are people who write Python who also think you should eschew
frameworks, so some of that is just fashion. What I think you can say is that
Go programmers discourage frameworks that take your code out of compatibility
with the net/http interfaces. This used to be a big deal, but ever since
net/context was introduced, is less and less of one.

From a vantage point of being a consultant who reads a lot of people's Go
code, the two things I see getting used a lot in real code are Gin, which is a
full-on framework that historically hasn't been net/http compatible, and
Gorilla, which is (and thus chooses not to call itself a framework at all). I
think the difference between "toolkit" and "framework" is pretty academic.

In the rest of the web programming world, an according-to-Hoyle batteries-
included "framework" ticks off the boxes for model, view, and controller,
where "model" also provides persistence. For Django in Python and Rails in
Ruby, which I think sort of set the standard for what we think about when we
think of frameworks, this means an SQL-generating ORM of some sort. There are
no good Go ORMs, so the frameworks you'll run into in Go tend not to do a
whole lot more than providing a URL matcher/router and before/after middleware
filters.

Security in Go web apps is good-news/bad-news. The good news is that the
language itself forecloses on a bunch of security problems that are common in
other languages; for instance, there's no eval() equivalent you can easily get
to. The bad news is that because there isn't a standard ORM, you're more
likely to have SQL injection than a comparable Django app would --- I still
find SQLI in Go apps somewhat routinely, and virtually never find them in
Django apps. Go's HTML templates do the same reasonable job of stopping XSS
that every other modern framework does. You can get CSRF protection from any
number of libraries (Gorilla provides one; so, I think, does Gin). It's
especially straightforward to configure the "hygiene" security stuff like
TLS/HSTS in Go, because of how closely server and application code is in Go.

Veering more into my own fashion sense, and so take this with a grain of salt:
I find Go pretty painful to code interface and high-level presentation stuff
in, and don't at all enjoy working in Go's html/template system. Rather than
fight it, I just use Go to build JSON API code, and then deliver a React
application as my only real HTML payload. In this design, basically all of the
"user interface" stuff is delegated to ES6, and Go just handles the "model"
and "controller" parts of MVC.

~~~
pvg
_Go just handles the "model" and "controller" parts of MVC._

Or Go really handles the "model" part of "classical" MVC. I mention this just
as kind of entertaining (to the sort of person that finds this kind of minutia
entertaining) curiosity. The meaning of MVC - itself, of course, never a
super-formally defined term - shifted somewhat to fit web apps but as web app
technology got fancy enough to do (very nearly) oldschool MVC, the 'dumb web
app' meaning of MVC is sticking around while 'smart web apps' do something
much closer to OG MVC.

------
pier25
My team looked into it last year and ended up using Echo. It's convenient and
doesn't get too much in your way.

We also used this book as reference: [https://www.manning.com/books/go-web-
programming](https://www.manning.com/books/go-web-programming)

------
alienreborn
[https://gophercises.com](https://gophercises.com)

------
ammmir
I couldn’t imagine writing a huge web app in Go without a framework, but you
can go framework-free if you’re doing microservices or APIs. I recently used
Echo to build my latest side project [https://kvdb.io](https://kvdb.io) \-
Echo and similar frameworks provide small enough API on top of net/http that
you’re reducing boilerplate without framework lock-in. Most provide basic
middleware like anti-CSRF, Basic auth, etc. but for app-wide security and
access control like roles, you might want to use a specific library.

Compared to Rails and Django, Go web dev seems closer to the metal with less
magic going on, and that’s probably a good thing.

------
closeparen
Just so you're aware, one wouldn't typically build a "web app" in Go the way
you would with Rails or Django. Go is more typically used for microservices
deep within the backend (which may even use something like gRPC rather than
HTTP), or for APIs accessed from a SPA. I'm sure you can find all the
traditional tools for working with forms, templates, etc. but that's not where
the community's critical mass is.

~~~
vram22
>Go is more typically used for microservices deep within the backend (which
may even use something like gRPC rather than HTTP)

What are some criteria for using (g)RPC vs. HTTP (if by HTTP you mean REST-
style too)? I had read part of a series of posts about RPC vs. REST by Steve
Vinoski (who was formerly involved with CORBA, IIRC), but that was some years
ago, so 1) I don't remember his arguments well, and 2) the tech may have
changed since then.

~~~
closeparen
REST is not very structured and means something a little different to every
implementer. Systems like Thrift and GRPC build an uambiguous contract around
the request and response schema, with IDL serving as documentation whose
correctness is mechanically enforced. Since both parties have the IDL, the
messages can be packed efficiently on the wire without any field names and in
formats that are less computationally intensive to parse/serialize than JSON.
It’s also relatively clear which IDL changes are breaking and which are
backwards compatible (the latter being the only kind you can sanely make in a
running distributed system). The wire protocol can be less chatty and better
suited to multiplexing a high volume of traffic along the same socket, which
was a shortcoming of HTTP until relatively recently with HTTP2.

~~~
vram22
Thanks, makes sense.

------
zyngaro
The go programming language book. Not focused on web development whatever that
means particularly but introduces a lot and some advanced concepts and
constructs of the language that are very useful/fundamental in server
programming. I think GOPL is the only book you need to read about golang. I
did not read other related books though so take that last statement with a
pinch of salt.

------
dpeck
If I might tack on a followup question, I'd love to see a full example of a
set of CRUD endpoints for AWS Lambda using Go. There are a good number of
tutorials covering it, but they all feel very superficial and missing things
like validation/etc.

------
segmondy
Work thru gowebexamples.com I assume you already have worked through a go book
or tutorial

~~~
sharmi
Yes, I worked through a tour of go and followed it by some small programs for
my projects. I will try gowebexamples next. Thank you.

------
terminalcommand
For basic tasks, I'd also advocate for using the Go standard library. But for
any non-trivial project you need to use some library, at least Gorilla
toolkit. Implementing everything by yourself would take ages.

I think if you're used to a framework, you don't need to reinvent the wheel by
sticking to the Go standard library. Know that the Go standard library exists
and how it works but use frameworks for productivity.

In Goland, you jump to definitions and see things for yourself anyway. Even
while using the standard library you generally read most of the code to be
able to understand it. A framework would be no different, you'll read parts of
its code rather than just passively looking at the documentation. Idiomatic Go
encourages you to engage with the code, rather than just consume it.

There are many frameworks out there that leverage Go's advantages (simple
code, single binary, fast, very little RAM usage) while maintaining a higher
level programming interface. I'd encourage you to try some of these
frameworks.

Examples that come to mind are: Gobufallo
[[https://gobuffalo.io/en](https://gobuffalo.io/en)] Revel
[[https://revel.github.io/](https://revel.github.io/)] Iris [[https://iris-
go.com/](https://iris-go.com/)]

To learn the basics of security handling in Golang, you could learn the basic
web security concepts from OWASP Top 10 lists and other sources. The things
you'll need to work at are mostly: preventing SQL Injection (the standard db
driver does a good job in parameter substitution), implementing CSRF
protection, Securely Generating And Storing Sessions (Gorilla toolkit will
help here), and securing your databases (especially passwords) by only storing
passwords hashed and salted.

As Django is a full-fledged very high level framework, you might find it
easier to look up on some Flask documentation to see how barebone web
programming works. Golang + gorilla toolkit gets you on a microframework level
(like Flask).

The other frameworks I mentioned Gobufallo, revel etc. will provide you with a
more familiar environment, as they come with code generators and templates.

When it comes to best practices, I'd advise to learn more about idiomatic Go
programming and learn about some fundamental web security topics.

I remember that I was also very scared that if I attempt to code any site by
hand I'd leave a lot of security holes behind. But the truth is, most of the
security flaws stem from complexity. If you know the basics such as sql
injection, safe encryption algorithms etc. and keep your code clean, there is
no need to be scared.

On a side note: if you had the patience of being able to get through the steep
learning curve of django, you won't have a hard time doing things the old
fashioned way by using httplisteners and httpwriters. IMO people tend to stick
with microframeworks and CGI because they are simple.

~~~
sharmi
Thanks for the input terminalcommand. Lots of interesting pointers.

Which framework do you use?

~~~
terminalcommand
The only serious web application I've written (a social blogging application)
was written in Flask. I was relatively new to web programming and taught
myself everything from using template engines to SQL to server management.
That's when most of the web programming concepts clicked with me.

I've attempted to use Django on multiple occasions but was put off by the
sheer magic it entailed. (This was me before I singlehandedly coded a social
media application and saw first hand how a project could consume all your
mental resources. I made the mistake of jumping into things yelling "fail
early fail fast" back then)

Currently I'm back on working on personal projects. Nowadays I mostly write
networking applications in Go, I've recently been writing an irc library. I
learned a lot about parsing, networking protocols etc.

As for Go web frameworks, I've been meaning to test these frameworks for a
long time, if I were to start a project now, I'd go with gobufallo. When I had
done my research on it (August 2017), it seemed to have excellent
documentation and tooling.

------
orschiro
Any popular website example built in Go?

