Webhook endpoints should assume the internet is hostile. I verify the request with an HMAC signature derived from the raw body and a shared secret, and I use hmac.Equal to avoid timing leaks. The key detail is reading the body exactly once: the server

When latency matters, I benchmark the smallest interesting unit and watch allocations. In Go, a surprising number of regressions come from accidental heap churn: converting []byte to string, building lots of temporary maps, or using fmt.Sprintf in loo

Go’s table-driven tests are one of the best “boring but effective” practices. For handlers, I use httptest.NewRecorder and httptest.NewRequest so tests run fast without networking. Each case specifies method, path, body, expected status, and sometimes

I like feature flags that are boring at runtime: reads should be lock-free and refresh should happen in the background. The pattern here stores a JSON flag snapshot in an atomic.Value, which makes reads cheap and race-free. A ticker refreshes the snap

When clients upload files directly to S3, your API avoids handling large payloads and you get better scalability. I generate a presigned PUT URL with a short expiry and a constrained object key prefix so users can’t overwrite arbitrary objects. The cr

Optimistic locking is great for most user edits, but sometimes you need strict serialization—like decrementing inventory or consuming a one-time token. In those cases I use SELECT ... FOR UPDATE inside a transaction. The lock is scoped to the transact

When multiple clients can update the same record, I prefer optimistic locking over heavy row locks. The idea is simple: every row has a version that increments on each update. The update statement includes WHERE id=$1 AND version=$2, so if someone els

Never store passwords as raw strings, and don’t invent your own hashing scheme. I use bcrypt with a cost that’s calibrated for the environment (fast enough for login throughput, slow enough to resist offline cracking). The trick is to treat the cost a

Config bugs are some of the most expensive production incidents because they vary by environment and can be hard to reproduce. I keep configuration in a typed struct, load it from environment variables, and validate it before the server starts. The va

One of the easiest ways to reduce frontend complexity is to be consistent about API responses. I keep a small helper that always sets Content-Type: application/json; charset=utf-8, uses a stable error envelope (error + optional details), and returns c

ETags are a low-effort way to cut bandwidth and CPU when clients poll for resources that rarely change. The server computes an ETag for the representation (often a version, content hash, or updated_at value) and compares it to If-None-Match. If they m

SSE is my go-to for “live updates” when I don’t need full bidirectional WebSockets. The key is to set the right headers (Content-Type: text/event-stream, Cache-Control: no-cache) and to flush periodically so intermediaries don’t buffer. I send heartbe