Consider using Tink instead of x/net/xsrftoken

[xtofian]

https://godoc.org/golang.org/x/net/xsrftoken is problematic from a secure-design perspective:

• It takes a raw key as a String parameter, which tends to lead to application code with poor key management practices (hard-coded keys in source code, or keys in config files).

• There is no support for multiple keys to be in use at the same time, which makes key rotation difficult to implement; in practice it won't get done.

It might make sense to implement your own xsrftoken package, based on Tink MACs.