Do you think it would be more educational to use http://stackoverflow.com/a/23259804 as an example of generating a hashed password and then comparing the password provided by chitchat user to the previously hashed password here https://github.com/sausheong/gwp/blob/master/Chapter_2_Go_ChitChat/chitchat/route_auth.go#L48

Another suggestion, could you add CSRF protection to the ChitChat example or at least address it in the book somewhere (preferably session based one: CSRF token from the form's POST value or HTTP request's CSRF header value, has to match CSRF token in the session store)

This way basic security protection is covered.