Bug Description
Both session and CSRF cookies default to Secure=false and HTTPOnly=false. This means:
- Session cookies can be intercepted over plain HTTP (no
Secure)
- Session cookies are accessible to JavaScript, enabling XSS exfiltration (no
HttpOnly)
- CSRF cookies are sent over plain HTTP
How to Reproduce
Steps to reproduce the behavior:
- Create a Fiber app with session middleware using default config
- The session cookie is set without
Secure or HttpOnly flags
- An attacker on the same network can intercept the cookie over HTTP
- An attacker exploiting XSS can read the cookie via
document.cookie
Affected Code
middleware/session/config.go:73-81:
// CookieSecure specifies if the session cookie should be secure.
// Optional. Default: false
CookieSecure bool
// CookieHTTPOnly specifies if the session cookie should be HTTP-only.
// Optional. Default: false
CookieHTTPOnly bool
middleware/csrf/config.go:104-112:
// CookieSecure indicates if CSRF cookie is secure.
// Optional. Default: false
CookieSecure bool
// CookieHTTPOnly indicates if CSRF cookie is HTTP only.
// Optional. Default: false
CookieHTTPOnly bool
Expected Behavior
Default CookieSecure and CookieHTTPOnly to true. Users developing locally can explicitly set them to false. Secure-by-default is the correct pattern for a production framework.
Fiber Version
v3 (latest main branch)
Bug Description
Both session and CSRF cookies default to
Secure=falseandHTTPOnly=false. This means:Secure)HttpOnly)How to Reproduce
Steps to reproduce the behavior:
SecureorHttpOnlyflagsdocument.cookieAffected Code
middleware/session/config.go:73-81:middleware/csrf/config.go:104-112:Expected Behavior
Default
CookieSecureandCookieHTTPOnlytotrue. Users developing locally can explicitly set them tofalse. Secure-by-default is the correct pattern for a production framework.Fiber Version
v3 (latest main branch)