Go Profiling in Production with pprof

Capturing safely

• Expose /debug/pprof behind auth/VPN; or run curl -sK -H "Authorization: Bearer ...".
• CPU profile: go tool pprof http://host/debug/pprof/profile?seconds=30.
• Heap profile: .../heap; Goroutines: .../goroutine?debug=2.
• For containers: kubectl port-forward then grab profiles; avoid prod CPU throttle when profiling.

Reading CPU profiles

• Look at flat vs. cumulative time; identify hot functions.
• Flamegraph: go tool pprof -http=:8081 cpu.pprof.
• Check GC activity and syscalls; watch for mutex contention.

Reading heap profiles

• Compare live allocations vs. in-use objects; watch large []byte and map growth.
• Look for leaks via rising heap over time; diff profiles between runs.

Goroutine dumps

• Spot leaked goroutines (blocked on channel/lock/I/O).
• Common culprits: missing cancel, unbounded worker creation, stuck time.After.

Best practices

• Add pprof only when needed in prod; default on in staging.
• Sample under load close to real traffic.
• Keep artifacts: store profiles with build SHA + timestamp; compare after releases.
• Combine with metrics (alloc rate, GC pauses, goroutines) to validate fixes.