
The `crypto/sha256` package computes SHA-256 digests. Use `sha256.Sum256` for small byte slices; use `sha256.New()` with `io.Copy` for large files or streams.

<ExamplePair>
<ExampleProse>

`sha256.Sum256` hashes a byte slice in one call and returns a `[32]byte` array. `hex.EncodeToString` converts the raw bytes to a lowercase hex string - the common representation for checksums and content hashes.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/sha256"
    "encoding/hex"
    "fmt"
)

func main() {
    data := []byte("hello, world")
    digest := sha256.Sum256(data)

    fmt.Printf("bytes: %x\n", digest)
    fmt.Println("hex:  ", hex.EncodeToString(digest[:]))
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

For large inputs, use `sha256.New()` to get a `hash.Hash` and write data incrementally. This avoids loading the entire content into memory and works with any `io.Reader`.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/sha256"
    "encoding/hex"
    "fmt"
    "strings"
)

func main() {
    h := sha256.New()

    // Write data in chunks (simulated here with a Reader)
    r := strings.NewReader("hello, world - this could be a large file")
    buf := make([]byte, 8)
    for {
        n, err := r.Read(buf)
        if n > 0 {
            h.Write(buf[:n])
        }
        if err != nil {
            break
        }
    }

    fmt.Println(hex.EncodeToString(h.Sum(nil)))
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`h.Sum(nil)` appends the current digest to a nil slice, returning a fresh `[]byte`. You can also call `h.Sum(existing[:0])` to write into a pre-allocated buffer without an allocation.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/sha256"
    "fmt"
    "io"
    "os"
)

func hashFile(path string) ([]byte, error) {
    f, err := os.Open(path)
    if err != nil {
        return nil, err
    }
    defer f.Close()

    h := sha256.New()
    if _, err := io.Copy(h, f); err != nil {
        return nil, err
    }
    return h.Sum(nil), nil
}

func main() {
    digest, err := hashFile("go.sum")
    if err != nil {
        fmt.Println("open go.sum:", err)
        return
    }
    fmt.Printf("%x\n", digest)
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
`sha256.Sum256` hashes a byte slice in one call - convenient for small inputs, but it loads the entire content into memory. For files, use `sha256.New()` + `io.Copy` so the file is streamed through the hasher. Never use SHA-256 for password storage: it is a general-purpose hash, not a key derivation function. Use `bcrypt`, `argon2id`, or `scrypt` for passwords - they are intentionally slow and include salting. SHA-256 is appropriate for content addressing (deduplication, checksums), HMAC signatures, and certificate fingerprints. When comparing digests in security-sensitive code, use `subtle.ConstantTimeCompare` from `crypto/subtle` to prevent timing attacks; a naive `bytes.Equal` or `==` can leak timing information.
</InProduction>


crypto/sha256 for one-shot and streaming SHA-256 hashing, hex encoding the digest, and when not to use SHA256 for passwords.

SHA256 Hashes


The `encoding/base64` package encodes binary data as printable ASCII text. Two encodings are available: `StdEncoding` (uses `+` and `/`) and `URLEncoding` (uses `-` and `_`, safe in URLs).

<ExamplePair>
<ExampleProse>

`base64.StdEncoding.EncodeToString` encodes a byte slice to a base64 string. `DecodeString` reverses it, returning a byte slice and an error if the input is malformed.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "encoding/base64"
    "fmt"
)

func main() {
    data := []byte("user:secret-password")

    encoded := base64.StdEncoding.EncodeToString(data)
    fmt.Println(encoded) // dXNlcjpzZWNyZXQtcGFzc3dvcmQ=

    decoded, err := base64.StdEncoding.DecodeString(encoded)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(decoded)) // user:secret-password
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`base64.URLEncoding` replaces `+` with `-` and `/` with `_`, making the output safe to embed in URLs and filenames. `base64.RawURLEncoding` omits the `=` padding - used in JWT segments and URL-safe tokens.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/rand"
    "encoding/base64"
    "fmt"
)

func main() {
    // Standard encoding - may produce + and / in output
    std := base64.StdEncoding.EncodeToString([]byte{0xfb, 0xef, 0xff})
    fmt.Println("std:", std) // ++//

    // URL-safe encoding - replaces + with - and / with _
    url := base64.URLEncoding.EncodeToString([]byte{0xfb, 0xef, 0xff})
    fmt.Println("url:", url) // --__

    // Generate a URL-safe random token (no padding)
    buf := make([]byte, 24)
    rand.Read(buf)
    token := base64.RawURLEncoding.EncodeToString(buf)
    fmt.Println("token:", token) // 32-char URL-safe token, no = padding
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

For large payloads, wrap an `io.Writer` with `base64.NewEncoder` to stream encoding without buffering the entire output. Call `Close()` to flush any remaining bytes and write the final padding.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "encoding/base64"
    "os"
    "strings"
)

func main() {
    enc := base64.NewEncoder(base64.StdEncoding, os.Stdout)
    defer enc.Close()

    r := strings.NewReader("streaming base64 example output")
    buf := make([]byte, 8)
    for {
        n, err := r.Read(buf)
        if n > 0 {
            enc.Write(buf[:n])
        }
        if err != nil {
            break
        }
    }
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
Use `base64.URLEncoding` (or `base64.RawURLEncoding` without padding) for URL-safe tokens and JWT segments - standard base64 uses `+` and `/` which are special characters in URLs and require percent-encoding. When size matters, note that base64 inflates data by approximately 33% (3 bytes become 4 characters). For generating random tokens (session IDs, CSRF tokens, API keys), fill a byte slice with `crypto/rand.Read`, then `base64.RawURLEncoding.EncodeToString` - 18 random bytes give 24 URL-safe characters with 144 bits of entropy, sufficient for most token use cases. Never roll a custom encoding for tokens; use the stdlib encoders to avoid subtle bugs with alphabet selection and padding.
</InProduction>


encoding/base64 StdEncoding and URLEncoding for encode/decode, RawURLEncoding for padding-free tokens, and streaming encoders.

Base64 Encoding


The `net/url` package parses and builds URLs safely. `url.Parse` decomposes a raw URL string into its components; `url.Values` encodes query parameters without manual escaping.

<ExamplePair>
<ExampleProse>

`url.Parse` returns a `*url.URL` with fields for each component. All fields are strings - no type conversion needed. An error is only returned for malformed input that cannot be parsed at all; many "bad" URLs still parse without error.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "net/url"
)

func main() {
    u, err := url.Parse("https://api.example.com:8080/v1/users?page=2&limit=50#results")
    if err != nil {
        panic(err)
    }

    fmt.Println(u.Scheme)   // https
    fmt.Println(u.Host)     // api.example.com:8080
    fmt.Println(u.Path)     // /v1/users
    fmt.Println(u.RawQuery) // page=2&limit=50
    fmt.Println(u.Fragment) // results
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`url.URL.Query()` parses the raw query string into a `url.Values` map. Use it to read individual parameters. `url.Values.Encode()` serialises back to a query string, sorting keys alphabetically for deterministic output.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "net/url"
)

func main() {
    u, _ := url.Parse("https://search.example.com?q=golang+channels&sort=date&page=1")

    params := u.Query()
    fmt.Println(params.Get("q"))    // golang channels
    fmt.Println(params.Get("sort")) // date

    // Build a new query string safely
    v := url.Values{}
    v.Set("q", "go generics <1.18")
    v.Set("sort", "relevance")
    fmt.Println(v.Encode()) // q=go+generics+%3C1.18&sort=relevance
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`u.Hostname()` strips the port from `Host`, and `u.Port()` extracts just the port. Use these instead of splitting `Host` manually to handle IPv6 addresses correctly.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "net/url"
)

func main() {
    u, _ := url.Parse("https://api.example.com:8080/health")

    fmt.Println(u.Hostname()) // api.example.com
    fmt.Println(u.Port())     // 8080

    // Rebuild the URL with a different path
    u.Path = "/v2/health"
    fmt.Println(u.String()) // https://api.example.com:8080/v2/health
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
Always parse user-supplied URLs with `url.Parse` before use - do not string-concatenate URLs or use `fmt.Sprintf` to build query strings. Use `url.Values.Encode()` to safely encode query parameters; it handles special characters correctly and sorts keys deterministically, making URLs easier to cache and compare. When constructing outbound API URLs in production code, build a `url.URL` struct from components rather than formatting a string: it prevents accidental double-encoding and makes the code easier to read and test. For path segments that may contain slashes or special characters, use `url.PathEscape` rather than `url.QueryEscape` - they escape different character sets.
</InProduction>


net/url.Parse to decompose URLs, url.URL fields for scheme, host, path, and query, url.Values for safe query parameter encoding.