I may be missing something, but it appears (in context.go) that the csrf context is designed to use an in-memory map, with no other options to use something like memcache or redis.

I think this would prevent nosurf from being used in an environment where multiple apps are run behind a load balancer, unless something like sticky sessions are employed.

It would be nice if the in-memory map was abstracted out to an interface, so that anyone could plug in alternative stores. Gorilla sessions does this, and it seems to work pretty well.

Actually, I understand what's going on now-- didn't really grok the way masking worked at first.