You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
`CacheInvalidator` defines custom invalidation rules. Return `true` to bypass the cache. In the example above, setting the `invalidateCache` query parameter to `true` invalidates the entry.
106
106
107
+
Cache keys are masked in logs and error messages by default. Set `DisableValueRedaction` to `true` if you explicitly need the raw key for debugging.
| CacheHeader |`string`| CacheHeader is the header on the response header that indicates the cache status, with the possible return values "hit," "miss," or "unreachable." |`X-Cache`|
114
116
| DisableCacheControl |`bool`| DisableCacheControl omits the `Cache-Control` header when set to `true`. |`false`|
115
117
| CacheInvalidator |`func(fiber.Ctx) bool`| CacheInvalidator defines a function that is executed before checking the cache entry. It can be used to invalidate the existing cache manually by returning true. |`nil`|
118
+
| DisableValueRedaction |`bool`| Turns off cache key redaction in logs and error messages when set to `true`. |`false`|
116
119
| KeyGenerator |`func(fiber.Ctx) string`| KeyGenerator allows you to generate custom keys. The HTTP method is appended automatically. |`func(c fiber.Ctx) string { return utils.CopyString(c.Path()) }`|
117
120
| ExpirationGenerator |`func(fiber.Ctx, *cache.Config) time.Duration`| ExpirationGenerator allows you to generate custom expiration keys based on the request. |`nil`|
118
121
| Storage |`fiber.Storage`| Storage is used to store the state of the middleware. | In-memory store |
Copy file name to clipboardExpand all lines: docs/core/middleware/cors.md
+3-1Lines changed: 3 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,7 +10,7 @@ It adds CORS headers to responses, listing allowed origins, methods, and headers
10
10
11
11
Use the `AllowOrigins` option to define which origins may send cross-origin requests. It accepts single origins, lists, subdomain patterns, wildcards, and supports dynamic validation with `AllowOriginsFunc`.
12
12
13
-
The middleware normalizes `AllowOrigins`, verifies HTTP/HTTPS schemes, and strips trailing slashes. Invalid origins cause a panic.
13
+
The middleware normalizes `AllowOrigins`, verifies HTTP/HTTPS schemes, and strips trailing slashes. Invalid origins cause a panic. Panic messages and logs redact misconfigured origins by default; set `DisableValueRedaction` to `true` if you need the raw value for troubleshooting.
14
14
15
15
Avoid [common pitfalls](#common-pitfalls) such as using wildcard origins with credentials, overly permissive origin lists, or skipping validation with `AllowOriginsFunc`, as misconfiguration can create security risks.
16
16
@@ -118,6 +118,7 @@ panic: [CORS] Configuration error: When 'AllowCredentials' is set to true, 'Allo
118
118
| AllowOrigins |`[]string`| AllowOrigins defines a list of origins that may access the resource. This supports subdomain matching, so you can use a value like "https://*.example.com" to allow any subdomain of example.com to submit requests. If the special wildcard `"*"` is present in the list, all origins will be allowed. |`["*"]`|
119
119
| AllowOriginsFunc |`func(origin string) bool`|`AllowOriginsFunc` is a function that dynamically determines whether to allow a request based on its origin. If this function returns `true`, the 'Access-Control-Allow-Origin' response header will be set to the request's 'origin' header. This function is only used if the request's origin doesn't match any origin in `AllowOrigins`. |`nil`|
120
120
| AllowPrivateNetwork |`bool`| Indicates whether the `Access-Control-Allow-Private-Network` response header should be set to `true`, allowing requests from private networks. This aligns with modern security practices for web applications interacting with private networks. |`false`|
121
+
| DisableValueRedaction |`bool`| Disables redaction of misconfigured origins and settings in panics and logs. |`false`|
121
122
| ExposeHeaders |`[]string`| ExposeHeaders defines an allowlist of headers that clients are allowed to access. |`[]`|
122
123
| MaxAge |`int`| MaxAge indicates how long (in seconds) the results of a preflight request can be cached. If you pass MaxAge 0, the Access-Control-Max-Age header will not be added and the browser will use 5 seconds by default. To disable caching completely, pass MaxAge value negative. It will set the Access-Control-Max-Age header to 0. |`0`|
123
124
| Next |`func(fiber.Ctx) bool`| Next defines a function to skip this middleware when it returns true. |`nil`|
Idempotency keys are hidden in logs and error messages by default. Set `DisableValueRedaction` to `true` only when you need to expose them for debugging.
| Next |`func(fiber.Ctx) bool`| Function to skip this middleware when it returns `true`; use `IsMethodSafe` or `IsMethodIdempotent`. |`func(c fiber.Ctx) bool { return fiber.IsMethodSafe(c.Method()) }`|
74
76
| Lifetime |`time.Duration`| Maximum lifetime of an idempotency key. |`30 * time.Minute`|
75
77
| KeyHeader |`string`| Header name containing the idempotency key. |`"X-Idempotency-Key"`|
76
78
| KeyHeaderValidate |`func(string) error`| Function to validate idempotency header syntax (e.g., UUID). | UUID length check (`36` characters) |
77
79
| KeepResponseHeaders |`[]string`| List of headers to preserve from original response. |`nil` (keep all headers) |
80
+
| DisableValueRedaction |`bool`| Disables idempotency key redaction in logs and error messages. |`false`|
78
81
| Lock |`Locker`| Locks an idempotency key to prevent race conditions. | In-memory locker |
79
82
| Storage |`fiber.Storage`| Stores response data by idempotency key. | In-memory storage |
80
83
@@ -103,5 +106,6 @@ var ConfigDefault = Config{
103
106
Lock: nil, // Set in configDefault so we don't allocate data here.
104
107
105
108
Storage: nil, // Set in configDefault so we don't allocate data here.
Copy file name to clipboardExpand all lines: docs/core/middleware/limiter.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,6 +6,8 @@ id: limiter
6
6
7
7
The Limiter middleware for [Fiber](https://github.com/gofiber/fiber) throttles repeated requests to public APIs or endpoints such as password resets. It's also useful for API clients, web crawlers, or other tasks that need rate limiting.
8
8
9
+
Limiter redacts request keys in error paths by default so storage identifiers and rate-limit keys don't leak into logs. Set `DisableValueRedaction` to `true` when you explicitly need the raw key for troubleshooting.
10
+
9
11
:::note
10
12
This middleware uses our [Storage](https://github.com/gofiber/storage) package to support various databases through a single interface. The default configuration for this middleware saves data to memory, see the examples below for other databases.
Copy file name to clipboardExpand all lines: docs/core/whats_new.md
+17Lines changed: 17 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1161,6 +1161,8 @@ We are excited to introduce a new option in our caching middleware: Cache Invali
1161
1161
Additionally, the caching middleware has been optimized to avoid caching non-cacheable status codes, as defined by the [HTTP standards](https://datatracker.ietf.org/doc/html/rfc7231#section-6.1). This improvement enhances cache accuracy and reduces unnecessary cache storage usage.
1162
1162
Cached responses now include an RFC-compliant Age header, providing a standardized indication of how long a response has been stored in cache since it was originally generated. This enhancement improves HTTP compliance and facilitates better client-side caching strategies.
1163
1163
1164
+
Cache keys are now redacted in logs and error messages by default, and a `DisableValueRedaction` boolean (default `false`) lets you opt out when you need the raw value for troubleshooting.
1165
+
1164
1166
:::note
1165
1167
The deprecated `Store` and `Key` options have been removed in v3. Use `Storage` and `KeyGenerator` instead.
1166
1168
:::
@@ -1182,6 +1184,8 @@ We've updated several fields from a single string (containing comma-separated va
1182
1184
-`Config.AllowHeaders`: Now accepts a slice of strings, each representing an allowed header.
1183
1185
-`Config.ExposeHeaders`: Now accepts a slice of strings, each representing an exposed header.
1184
1186
1187
+
Additionally, panic messages and logs redact misconfigured origins by default, and a `DisableValueRedaction` flag (default `false`) lets you reveal them when necessary.
1188
+
1185
1189
### Compression
1186
1190
1187
1191
- Added support for `zstd` compression alongside `gzip`, `deflate`, and `brotli`.
@@ -1194,6 +1198,12 @@ We've updated several fields from a single string (containing comma-separated va
1194
1198
1195
1199
The `Expiration` field in the CSRF middleware configuration has been renamed to `IdleTimeout` to better describe its functionality. Additionally, the default value has been reduced from 1 hour to 30 minutes.
1196
1200
1201
+
CSRF now redacts tokens and storage keys by default and exposes a `DisableValueRedaction` toggle (default `false`) if you must surface those values in diagnostics.
1202
+
1203
+
### Idempotency
1204
+
1205
+
Idempotency middleware now redacts keys by default and offers a `DisableValueRedaction` configuration flag (default `false`) to expose them when debugging.
1206
+
1197
1207
### EncryptCookie
1198
1208
1199
1209
Added support for specifying key length when using `encryptcookie.GenerateKey(length)`. Keys must be base64-encoded and may be 16, 24, or 32 bytes when decoded, supporting AES-128, AES-192, and AES-256 (default).
@@ -1384,6 +1394,8 @@ See more in [Logger](./middleware/logger.md#predefined-formats)
1384
1394
1385
1395
The limiter middleware uses a new Fixed Window Rate Limiter implementation.
1386
1396
1397
+
Limiter now redacts request keys in error paths by default. A new `DisableValueRedaction` boolean (default `false`) lets you reveal the raw limiter key if diagnostics require it.
1398
+
1387
1399
:::note
1388
1400
Deprecated fields `Duration`, `Store`, and `Key` have been removed in v3. Use `Expiration`, `Storage`, and `KeyGenerator` instead.
- **Session KeyRemoval**: The`SessionKey` field has been removed from the CSRF middleware configuration. The session key is now an unexported constant within the middleware to avoid potential key collisions in the session store.
2213
2225
2214
2226
- **KeyLookup FieldRemoval**: The`KeyLookup` field has been removed from the CSRF middleware configuration. This field was deprecated and is no longer needed as the middleware now uses a more secure approach for token management.
2227
+
- **DisableValueRedaction Toggle**: CSRF redacts tokens and storage keys by default; set `DisableValueRedaction` to `true` when diagnostics require the raw values.
**Security Note**: The removal of `FromCookie` prevents a common misconfiguration that would completely bypass CSRF protection. The middleware uses the DoubleSubmitCookie pattern, which requires the token to be submitted through a different channel than the cookie to provide meaningful protection.
2249
2262
2263
+
#### Idempotency
2264
+
2265
+
- **DisableValueRedaction Toggle**: The idempotency middleware now hides keys in logs and error paths by default, with a `DisableValueRedaction`boolean (default`false`) to reveal them when needed.
2266
+
2250
2267
#### Timeout
2251
2268
2252
2269
The timeout middleware now accepts a configuration struct instead of a duration.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments