go
47 lines · 7 steps
Streaming file downloads safely in Go
An HTTP handler that streams a file to the client in fixed-size chunks while guarding against path traversal and partial transfers.
Explained by
highlit
1package storage
2
3import (
4 "bufio"
5 "fmt"
6 "io"
7 "net/http"
8 "os"
9 "path/filepath"
10)
11
12func StreamDownload(w http.ResponseWriter, r *http.Request, root string) {
13 name := filepath.Base(r.URL.Query().Get("file"))
14 path := filepath.Join(root, name)
15
16 f, err := os.Open(path)
17 if err != nil {
18 http.Error(w, "file not found", http.StatusNotFound)
19 return
20 }
21 defer f.Close()
22
23 info, err := f.Stat()
24 if err != nil || info.IsDir() {
25 http.Error(w, "invalid file", http.StatusBadRequest)
26 return
27 }
28
29 w.Header().Set("Content-Type", "application/octet-stream")
30 w.Header().Set("Content-Length", fmt.Sprintf("%d", info.Size()))
31 w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%q", name))
32
33 reader := bufio.NewReaderSize(f, 64*1024)
34 buf := make([]byte, 64*1024)
35
36 n, err := io.CopyBuffer(w, reader, buf)
37 if err != nil {
38 if flusher, ok := w.(http.Flusher); ok {
39 flusher.Flush()
40 }
41 return
42 }
43
44 if n != info.Size() {
45 http.Error(w, "truncated transfer", http.StatusInternalServerError)
46 }
47}
01 / 01
STEP 01
‹ swipe to step through ›
Walkthrough
Space play
←→ step
click any line
Three takeaways
- 1Running a user-supplied filename through filepath.Base strips directory components and blocks path-traversal attacks.
- 2io.CopyBuffer with a reused buffer streams large files in fixed chunks without loading them into memory.
- 3Comparing bytes copied against the stat size lets you detect and report a truncated transfer instead of silently corrupting downloads.
Related explainers
go
package main import ( "errors"
Parsing and validating CLI flags in Go
cli-parsing
validation
error-handling
Intermediate
8 steps
python
import csv import io from datetime import datetime
Streaming a CSV export in Flask
streaming
generators
csv
Intermediate
9 steps
go
package cache import ( "container/list"
Building a generic LRU cache in Go
lru-cache
generics
linked-list
Intermediate
8 steps
go
package model import ( "encoding/json"
Custom JSON marshaling in Go
json
serialization
interfaces
Intermediate
5 steps
python
import csv import io from datetime import date
Streaming a CSV export in FastAPI
streaming
async-generators
csv
Advanced
8 steps
go
func (h *TransactionHandler) ExportCSV(c *gin.Context) { ctx := c.Request.Context() filters := parseTransactionFilters(c)
Streaming a CSV export in Gin
streaming
csv-export
database-cursor
Intermediate
8 steps
Share this explainer
Here's the card — post it anywhere.
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code
Embed this explainer
Drop the interactive walkthrough into a blog or docs. Views never cost a credit.
<iframe src="https://highlit.co/explainers/streaming-file-downloads-safely-in-go-explained-go-aea9/embed?autoplay=1" width="100%" height="520" loading="lazy" style="border:0"></iframe>
Autoplay is on by default — add ?autoplay=0 to start paused.