https://www.secdev.uk/blog/tags/error-handling/ Recent content in Error Handling on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 27 Sep 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-09-27-go-security-goroutines-errors/ Sat, 27 Sep 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-09-27-go-security-goroutines-errors/ <p>Go&rsquo;s simplicity is its greatest strength and, I&rsquo;d argue, its most dangerous security property. The language has no exceptions, no generics-based abstractions (until recently), and no implicit behaviour, everything is explicit. But that explicitness creates its own class of vulnerabilities: unchecked errors that silently skip security validation, goroutine races on shared state, HTTP client defaults that follow redirects into internal networks, and string handling patterns that bypass input validation. In this post, I want to walk through the Go-specific anti-patterns that lead to security vulnerabilities, from the error that nobody checked to the goroutine that corrupted the authentication cache. The more I dug into Go&rsquo;s security landscape, the more I realised these bugs are subtle precisely because the language feels so straightforward.</p>