[lakomen]

Same old topic.

I use gin. It's not perfect, especially streaming (EventSource) is broken. But the rest has actual hand on solutions.

  ctx.SecureJSON()

Not a single one of the other packages has something like that. Keyword: JSON hijacking protection. Yes it's still a thing.

[trinovantes]

Isn't it just prepending "while(1);" to your responses? If that's all you need, it seems like a dependency overkill

[ansc]

I think this is the thing with (web) frameworks. Are you really going to remember that? And actually do it? And work around and build those other gnarly things for CSRF, SSRF and XSS? If you only need to serve happy-case HTTP, for sure you're better of without a framework. At least my experience without using a framework is that it's a tad annoying when you need the extras. And requires a lot deeper understanding of things as you don't abstract it away which is good for learning, but might be cumbersome for actually shipping things.

[trinovantes]

For security/safety sensitive tasks, you should be using checklists e.g. [1] so you don't need to remember. Pilots use pre-takeoff checklists to reduce chances of human error. Likewise, you shouldn't assume the framework will give you proper defaults.

[1] https://github.com/0xRadi/OWASP-Web-Checklist

[puika]

Is broken streaming a thing? A quick search shows some issues with gin's own gzip middleware. Don't know if that's also the case behind a proxy with gzip middleware and gin's disabled. Looking at the newest code I also noticed you can exclude paths from gin's gzip middleware, if a proxy is not an option.