Go Defensive Programming Patterns
Defensive Checklist Priority
When hardening code at API boundaries, check in this order:
Reviewing an API boundary?
โโ 1. Error handling โ Return errors; don't panic (see go-error-handling)
โโ 2. Input validation โ Copy slices/maps received from callers
โโ 3. Output safety โ Copy slices/maps before returning to callers
โโ 4. Resource cleanup โ Use defer for Close/Unlock/Cancel
โโ 5. Interface checks โ var _ Interface = (*Type)(nil) for compile-time verification
โโ 6. Time correctness โ Use time.Time and time.Duration, not int/float
โโ 7. Enum safety โ Start iota at 1 so zero-value is invalid
โโ 8. Crypto safety โ crypto/rand for keys, never math/rand
Quick Reference
| Pattern |
Rule |
Details |
| Boundary copies |
Copy slices/maps on receive and return |
BOUNDARY-COPYING.md |
| Defer cleanup |
defer f.Close() right after os.Open |
Below |
| Interface check |
var _ I = (*T)(nil) |
See go-interfaces |
| Time types |
time.Time / time.Duration, never raw int |
TIME-ENUMS-TAGS.md |
| Enum start |
iota + 1 so zero = invalid |
Below |
| Crypto rand |
crypto/rand for keys, never math/rand |
Below |
| Must functions |
Only at init; panic on failure |
MUST-FUNCTIONS.md |
| Panic/recover |
Never expose panics across packages |
PANIC-RECOVER.md |
| Mutable globals |
Replace with dependency injection |
Below |
Verify Interface Compliance
Use compile-time checks to verify interface implementation. See go-interfaces: Interface Satisfaction Checks for the full pattern.
var _ http.Handler = (*Handler)(nil)
Copy Slices and Maps at Boundaries
Slices and maps contain pointers to underlying data. Copy at API boundaries to prevent unintended modifications.
d.trips = make([]Trip, len(trips))
copy(d.trips, trips)
result := make(map[string]int, len(s.counters))
for k, v := range s.counters { result[k] = v }
Read references/BOUNDARY-COPYING.md when copying slices or maps at API boundaries, or deciding when defensive copies are necessary vs. when they can be skipped.
Defer to Clean Up
Use defer to clean up resources (files, locks). Avoids missed cleanup on multiple return paths.
p.Lock()
defer p.Unlock()
if p.count < 10 {
return p.count
}
p.count++
return p.count
Defer overhead is negligible. Place defer f.Close() immediately after
os.Open for clarity. Arguments to deferred functions are evaluated when
defer executes, not when the function runs. Multiple defers execute in
LIFO order.
Struct Field Tags
Advisory: Always add explicit field tags to structs that are marshaled or unmarshaled.
type User struct {
Name string `json:"name" yaml:"name"`
Email string `json:"email" yaml:"email"`
}
Field tags are a serialization contract โ renaming a struct field without
updating the tag silently breaks wire compatibility. Treat tags as part of
the public API for any type that crosses a serialization boundary.
Start Enums at One
Start enums at non-zero to distinguish uninitialized from valid values.
const (
Add Operation = iota + 1
Subtract
Multiply
)
Exception: When zero is the sensible default (e.g., LogToStdout = iota).
Time, Struct Tags, and Embedding
Read references/TIME-ENUMS-TAGS.md when using time.Time/time.Duration instead of raw ints, adding field tags to marshaled structs, or deciding whether to embed types in public structs.
Avoid Mutable Globals
Inject dependencies instead of mutating package-level variables. This makes
code testable without global save/restore.
type signer struct {
now func() time.Time
}
func newSigner() *signer {
return &signer{now: time.Now}
}
Read references/GLOBAL-STATE.md when deciding whether a global variable is appropriate, designing the New() + Default() package state pattern, or replacing mutable globals with dependency injection.
Crypto Rand
Do not use math/rand or math/rand/v2 to generate keys โ this is a
security concern. Time-seeded generators have predictable output.
import "crypto/rand"
func Key() string { return rand.Text() }
For text output, use crypto/rand.Text directly, or encode random bytes
with encoding/hex or encoding/base64.
Panic and Recover
Use panic only for truly unrecoverable situations. Library functions
should avoid panic.
func safelyDo(work *Work) {
defer func() {
if err := recover(); err != nil {
log.Println("work failed:", err)
}
}()
do(work)
}
Key rules:
- Never expose panics across package boundaries โ always convert to errors
- Acceptable to panic in
init() if a library truly cannot set itself up
- Use recover to isolate panics in server goroutine handlers
Read references/PANIC-RECOVER.md when writing panic recovery in HTTP servers, using panic as an internal control flow mechanism in parsers, or deciding between log.Fatal and panic.
Must Functions
Must functions panic on error โ use them only during program
initialization where failure means the program cannot run.
var validID = regexp.MustCompile(`^[a-z][a-z0-9-]{0,62}$`)
var tmpl = template.Must(template.ParseFiles("index.html"))
Read references/MUST-FUNCTIONS.md when writing custom Must functions, deciding whether Must is appropriate for a given call site, or wrapping fallible initialization in a panicking helper.
Related Skills
- Error handling: See go-error-handling when choosing between returning errors and panicking, or wrapping errors at boundaries
- Concurrency safety: See go-concurrency when protecting shared state with mutexes, atomics, or channels
- Interface checks: See go-interfaces when adding compile-time interface satisfaction checks (
var _ I = (*T)(nil))
- Data structure copying: See go-data-structures when working with slice/map internals or pointer aliasing
