x/website/_content: make security best practices more visible and easier to navigate on Go website

[MikeMitchellWebDev]

Go version

1.22

Output of go env in your module/workspace:

n/a

What did you do?

I tried to locate security related information on https://go.dev in preparation for deploying a Go app.

What did you see happen?

My overall experience is that I had to look really hard to ensure that I've found all the security related information for making a Go app, and I have no idea if I was successful or not.

• Currently, on the go.dev homepage, the only direct link to a security page is under the Why Go menu item in the navigation bar of the header. Security might be an important feature for promoting Go to new developers, but the Why Go section of the website was not an intuitive place for me (as an existing developer) to look for security related information. Even if it’s only a reminder about the importance of security, it would be helpful if the security section of the website was more visible.

• The FAQ section of the website (linked to on the Go User Manual webpage) doesn’t have a “Security” section.

• Not only is there no link to anything security related from the “Docs” menu on the header navigation bar, the Go User Manual page (which is linked to under the Docs menu) doesn’t have links to either Security - The Go Programming Language or Security Best Practices for Go Developers - The Go Programming Language . Currently, the only link I can find to the latter is on the former. I assume the Go User Manual should have those links because it is subtitled “a complete introduction to building software with Go.”

• In the Accessing Databases section of the Go User Manual, there is one article about SQL injection (“Avoiding SQL injection risk - The Go Programming Language”), but this link about SQL injection isn’t on either of the Security pages linked to in the bullet-point above.

• Visibility is worse for mobile than desktop. On Desktop, if I happen to hover over the Why Go menu, the menu opens and I can see the menu items (where security is listed). On mobile, if I hover over Why Go, it only opens if I click it, which, as an existing Go user, I have little inclination to do.

• Although “Security” is listed under the “Why Go” menu in the header nav bar, it is not listed under the Why Go section in the footer. There are no security links in the footer.

What did you expect to see?

Everything security related on one page. That one page linked to from obvious places (FAQ, Go User Manual etc). Consistency between header and footer navigation (i.e. security is listed under Why Go in the header but not in the footer navigation).

[dmitshur]

CC @golang/security.

[bjorndm]

While this is a great idea, it will be an extremely long page since there is much groun to cover if one wants to talk about all aspects of security when using Go. It will probably need several sub pages as well.