I’m bookmarking this and I will be using it as a guide when I do the go1.8 upgrade. Overall I haven’t found problems running some very big sites with Go exposed on the internet. I won’t claim that the go stdlib alone can get you cloudflare-level protection, but I know of multiple alexa top100 usa sites that run go on the public internet. They receive a fair amount of malicious traffic and go generally handles it pretty well. Things that help go:
I did use this today to test out some cert chains from a different provider with poor documentation. I really like the fact that it wouldn’t even run if the certs were poorly chained.