A lot of handler complexity disappears if you reject bad requests early. I enforce the HTTP method (POST, PUT, etc.) and require Content-Type: application/json before attempting to decode. This prevents confusing errors where clients send form-encoded

When a cache key expires, it’s easy for a burst of requests to stampede the database. I use singleflight.Group to ensure only one goroutine performs the expensive fill per key while others wait for the shared result. This doesn’t replace proper TTLs o

Using email instead of username for authentication is a common requirement. I extend AbstractBaseUser and create a custom user manager early in the project because switching later means complex data migrations. The key is setting USERNAME_FIELD = 'ema

Letting users paste rich content is a product requirement that can become a security nightmare. I never try to write my own sanitizer. Instead, I run HTML through DOMPurify using JSDOM on the server and keep the allowlist small (minimal tags + attribu

Turbo Drive caches pages aggressively, which is usually great. For volatile admin dashboards (counts, queues, toggles) you often want no-cache to avoid confusing “stale UI” bugs. turbo_cache_control makes the intent explicit.

If you sort by a non-unique column (score, created_at), pagination can “skip” or “duplicate” records. Always add a secondary unique key like id for deterministic ordering.

When you need to invalidate caches by changing timestamps, use touch_all to avoid per-record callbacks. It’s fast, explicit, and doesn’t run unintended side effects.

For transactional email, the reliability problem is usually latency and retries, not MIME formatting. I prefer an HTTP email provider because requests are easy to bound with context.WithTimeout and easier to observe than raw SMTP. The code below build

When auth breaks in the UI, it’s expensive and it always seems to happen at the worst time. I keep one or two Playwright smoke tests that cover the critical path: login, navigate, create something, logout. The goal isn’t to test every edge case; it’s

OFFSET gets slower as tables grow and becomes inconsistent under writes. Keyset pagination is stable and fast: paginate by (created_at, id) cursor. This is a common “senior Rails” upgrade for activity feeds.

Most ‘caching’ bugs are really invalidation bugs, so I stick to a simple cache-aside pattern with conservative TTLs and treat cache misses as normal. The big failure mode to avoid is a stampede: if many requests miss at once, you can crush your DB. Fo

When multiple clients can update the same record, I prefer optimistic locking over heavy row locks. The idea is simple: every row has a version that increments on each update. The update statement includes WHERE id=$1 AND version=$2, so if someone els