Cors Wildcard in Fiber with Hmac Signatures

In the Fiber web framework, configuring CORS with a wildcard origin (*) while also using Hmac Signatures for request authentication can unintentionally weaken origin validation. When * is set as the allowed origin, the server indicates that any domain may access the resource, which can conflict with the expectation that only clients presenting a valid Hmac signature should be authorized. The presence of Hmac Signatures typically means the server validates a shared secret and message integrity, but if CORS permits any origin, a malicious site can embed requests that include the necessary headers and cookies (depending on credentials settings), potentially leveraging the browser’s automatic inclusion of credentials to perform cross-origin requests on behalf of authenticated users.

This combination exposes a CORS-based bypass risk: the server may correctly verify the Hmac Signature for requests that include the required headers, but because the wildcard allows any origin, attacker-controlled pages can initiate requests from a victim’s browser. If the application relies on cookies or other browser-managed credentials for authentication in addition to Hmac, the browser will attach those credentials for the target domain, and the server may process the request as valid. This pattern does not break Hmac itself, but it undermines the isolation guarantees that CORS is meant to provide, enabling cross-origin requests that the server may treat as legitimate due to the valid signature and credentials.

For example, a vulnerable setup in Fiber might include app.Use(cors.New(cors.Config{AllowOrigins: []string{"*"}})) alongside middleware that validates an X-API-Signature header derived from a shared secret. An attacker’s page on another domain can craft requests with the correct signature if the secret is leaked or predictable, and if credentials are allowed, the browser adds session cookies automatically. The server sees a valid Hmac Signature and authorized origin, but the effective origin is untrusted, leading to unauthorized actions on behalf of the user.

Remediation focuses on tightening CORS policy and ensuring Hmac validation is coupled with strict origin checks. Instead of a wildcard, specify exact origins that are trusted. When using Hmac Signatures, validate the signature before processing the request, and ensure CORS does not grant broader access than intended. Below are concrete Fiber code examples that demonstrate a secure configuration.

First, configure CORS with explicit origins and restricted settings:

// Secure CORS configuration in Fiber
package main

import (
	"github.com/gofiber/fiber/v2"
	"github.com/gofiber/fiber/v2/middleware/cors"
)

func main() {
	app := fiber.New()

	// Allow only specific trusted origins
	app.Use(cors.New(cors.Config{
		AllowOrigins:     []string{"https://your-trusted-app.com", "https://admin.yourdomain.com"},
		AllowCredentials: true,
		AllowHeaders:     []string{"Content-Type", "X-API-Signature", "Authorization"},
		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
		ExposeHeaders:    []string{"Content-Length"},
		MaxAge:           3600,
	}))

	// Protected route example
	app.Get("/api/data", func(c *fiber.Ctx) error {
		// Signature validation logic would be applied here
		return c.SendString("Secure data endpoint")
	})

	app.Listen(":3000")
}

Second, implement Hmac signature validation as middleware, ensuring it checks the signature against the request payload and selected headers. This example uses Hmac-SHA256 with a shared secret:

// Hmac Signature validation middleware for Fiber
package main

import (
	"crypto/hmac"
	"crypto/sha256"
	"encoding/hex"
	"github.com/gofiber/fiber/v2"
)

func HmacMiddleware(secret string) fiber.Handler {
	return func(c *fiber.Ctx) error {
		receivedSignature := c.Get("X-API-Signature")
		if receivedSignature == "" {
			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "missing signature"})
		}

		// Read the request body; for streaming bodies, adapt accordingly
		body := c.Request().Body()
		// In practice, you may need to read and buffer the body carefully
		// For simplicity, this example assumes body is available as []byte
		payload, err := c.Body()
		if err != nil {
			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "unable to read body"})
		}

		mac := hmac.New(sha256.New, []byte(secret))
		mac.Write(payload)
		expectedSignature := hex.EncodeToString(mac.Sum(nil))

		if !hmac.Equal([]byte(receivedSignature), []byte(expectedSignature)) {
			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "invalid signature"})
		}

		return c.Next()
	}
}

func main() {
	app := fiber.New()

	app.Use(cors.New(cors.Config{
		AllowOrigins:     []string{"https://your-trusted-app.com"},
		AllowCredentials: true,
		AllowHeaders:     []string{"Content-Type", "X-API-Signature"},
		AllowMethods:     []string{"GET", "POST", "OPTIONS"},
		MaxAge:           3600,
	}))

	secret := "your-256-bit-secret"
	app.Use(HmacMiddleware(secret))

	app.Post("/api/action", func(c *fiber.Ctx) error {
		// Business logic here; signature has already been validated
		return c.JSON(fiber.Map{"status": "ok"})
	})

	app.Listen(":3000")
}

These examples show a restricted origin policy paired with Hmac Signature validation, reducing the risk of cross-origin abuse while preserving message integrity. Avoid wildcard origins when Hmac or other security-sensitive checks are in place, and ensure that CORS settings align with the trust boundary of your application.