Scheduled jobs get risky when deploys overlap or when jobs take longer than their interval. I use robfig/cron with a wrapper that creates a per-run context.WithTimeout, adds a bit of jitter to avoid synchronized load across instances, and logs start/f

I don’t try to re-implement full JSON Schema in Go, but I do like returning validation errors that are easy for clients to render. The pattern is: decode into a struct, validate required fields and invariants, and return a slice of {field, message} is

I like config that fails loudly when it’s wrong. The helpers below parse environment variables with explicit defaults and good error messages, which prevents subtle “zero value” behavior in production. This is especially important for flags like ENABL

Rate limits are normal in production; what matters is how clients behave when they hit them. Instead of hammering an upstream with immediate retries, I parse Retry-After (seconds) and sleep before retrying. I still keep an upper bound so one request d

When multiple services call the same upstream, I like a custom http.RoundTripper to centralize cross-cutting behavior: inject headers, measure duration, and apply consistent redaction rules. This keeps call sites clean and prevents copy/paste mistakes

net/http/pprof is incredibly useful during performance incidents, but it should never be open to the public internet. I register the pprof handlers on a separate mux and wrap them with Basic Auth (or, better, your real auth middleware). The important

When you’re on call, you eventually ask: “what version is running?” I expose a tiny /version endpoint that returns build metadata derived from debug.ReadBuildInfo plus a few variables set at build time. The goal isn’t perfect SBOMs; it’s fast debuggin

I’ve started using log/slog for services that want structured logs without a heavy dependency. The key is treating the request logger as data: create a base logger with JSON output, then derive a request logger with fields like request_id and path. I

CORS is one of those features that becomes security-sensitive by accident. Instead of Access-Control-Allow-Origin: *, I keep a strict allowlist and echo back the exact origin only when it’s approved. I also handle OPTIONS preflight requests explicitly

Webhook endpoints should assume the internet is hostile. I verify the request with an HMAC signature derived from the raw body and a shared secret, and I use hmac.Equal to avoid timing leaks. The key detail is reading the body exactly once: the server

When latency matters, I benchmark the smallest interesting unit and watch allocations. In Go, a surprising number of regressions come from accidental heap churn: converting []byte to string, building lots of temporary maps, or using fmt.Sprintf in loo

Go’s table-driven tests are one of the best “boring but effective” practices. For handlers, I use httptest.NewRecorder and httptest.NewRequest so tests run fast without networking. Each case specifies method, path, body, expected status, and sometimes