validateExtractorSecurity() — fiber Function Reference

Architecture documentation for the validateExtractorSecurity() function in config.go from the fiber codebase.

Function go FiberMiddleware Security calls 1 called by 1

Entity Profile

FiberMiddleware→ Security→ validateExtractorSecurity() — fiber Function Reference

Dependency Diagram

graph TD
  26373eb7_4116_a5b7_61ab_e893dc010693["validateExtractorSecurity()"]
  077ca922_400b_9f3f_bb69_e8f547a31678["config.go"]
  26373eb7_4116_a5b7_61ab_e893dc010693 -->|defined in| 077ca922_400b_9f3f_bb69_e8f547a31678
  130f8efd_34aa_2887_b914_a65a96f9bb11["configDefault()"]
  130f8efd_34aa_2887_b914_a65a96f9bb11 -->|calls| 26373eb7_4116_a5b7_61ab_e893dc010693
  c241f428_bbad_e71e_e828_68979a9dedf1["isInsecureCookieExtractor()"]
  26373eb7_4116_a5b7_61ab_e893dc010693 -->|calls| c241f428_bbad_e71e_e828_68979a9dedf1
  style 26373eb7_4116_a5b7_61ab_e893dc010693 fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

middleware/csrf/config.go lines 183–205

func validateExtractorSecurity(cfg *Config) {
	if cfg == nil {
		return
	}
	// Check primary extractor
	if isInsecureCookieExtractor(cfg.Extractor, cfg.CookieName) {
		panic("CSRF: Extractor reads from the same cookie '" + cfg.CookieName +
			"' used for token storage. This completely defeats CSRF protection.")
	}

	// Check chained extractors
	for i, extractor := range cfg.Extractor.Chain {
		if isInsecureCookieExtractor(extractor, cfg.CookieName) {
			panic(fmt.Sprintf("CSRF: Chained extractor #%d reads from the same cookie '%s' "+
				"used for token storage. This completely defeats CSRF protection.", i+1, cfg.CookieName))
		}
	}

	// Additional security warnings (non-fatal)
	if cfg.Extractor.Source == extractors.SourceQuery || cfg.Extractor.Source == extractors.SourceParam {
		log.Warnf("[CSRF WARNING] Using %v extractor - URLs may be logged", cfg.Extractor.Source)
	}
}