Cors Wildcard in Fiber (Go)
Cors Wildcard in Fiber with Go — how this specific combination creates or exposes the vulnerability
Cross-origin resource sharing (CORS) misconfigurations are common in Go web services using Fiber. When a server uses a wildcard * for Access-Control-Allow-Origin while also exposing credentials or handling sensitive requests, it can undermine origin-based isolation. In Fiber with Go, this often occurs when developers set app.AllowOrigins("*") and also set AllowCredentials or do not validate the Origin header against an allowlist. Browsers enforce that a wildcard origin is not allowed when credentials are included; however, some client-side JavaScript may still rely on the wildcard and make elevated requests, and server-side missteps can lead to over-permissive CORS policies that expose endpoints to unauthorized cross-origin interactions.
A specific risk pattern in Fiber is defining permissive CORS for all routes while also permitting methods or headers that should be restricted. For example, allowing * origins together with AllowMethods("GET", "POST", "PUT", "DELETE") and AllowHeaders("*") can enable a malicious site to perform authenticated requests on behalf of a user if cookies or tokens are also permitted. Even without credentials, a wildcard origin can expose data reflection or CSRF-like behaviors when combined with other misconfigurations such as missing CSRF tokens or improper SameSite cookie settings. Because Fiber is a fast, expressive framework, it is easy to set broad CORS rules quickly, which increases the chance of unintentionally allowing any origin to interact with sensitive endpoints.
When OpenAPI/Swagger specs are used to document the API, a wildcard CORS policy may be captured generically without reflecting the runtime constraints applied by the Go server. middleBrick scans cross-reference such specs with runtime behavior and can flag a CORS wildcard as a high-risk finding when it detects that the endpoint allows broad origins while also permitting methods or headers that increase attack surface. This is especially important for endpoints that return sensitive data or accept state-changing requests. The scanner does not fix the configuration but provides prioritized findings with remediation guidance to help developers tighten CORS rules, for example by specifying exact origins, narrowing allowed methods, and avoiding wildcard headers in production.
Go-Specific Remediation in Fiber — concrete code fixes
To secure a Fiber API in Go, replace wildcard CORS settings with an explicit allowlist of origins and avoid combining wildcards with credentials. Below are concrete, idiomatic examples that demonstrate safe configurations.
1) Basic allowlist-based CORS in Fiber with Go:
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/cors"
)
func main() {
app := fiber.New()
// Define an explicit allowlist; do not use "*".
allowOrigins := "https://example.com,https://app.example.com"
app.Use(cors.New(cors.Config{
AllowOrigins: allowOrigins,
AllowMethods: "GET,POST", // narrow methods
AllowHeaders: "Origin, Content-Type, Accept", // avoid "*"
ExposeHeaders: "Content-Length",
AllowCredentials: true, // only enable if you must send cookies/tokens
MaxAge: 3600,
}))
app.Get("/profile", func(c *fiber.Ctx) error {
return c.SendString("profile data")
})
app.Listen(":3000")
}
2) Dynamic origin validation for stricter control:
package main
import (
"github.com/gofiber/fiber/v2"
"github.com/gofiber/fiber/v2/middleware/cors"
)
func main() {
app := fiber.New()
// Custom check to allow only specific origins.
app.Use(cors.New(cors.Config{
AllowOriginsFunc: func(origin string) bool {
// Maintain an allowlist for production.
allowed := map[string]bool{
"https://example.com": true,
"https://app.example.com": true,
"https://staging.example.com": true,
}
return allowed[origin]
},
AllowMethods: "GET,POST,PUT",
AllowHeaders: "Origin, Content-Type, Accept, Authorization",
AllowCredentials: true,
MaxAge: 3600,
}))
app.Post("/transfer", func(c *fiber.Ctx) error {
// Handle sensitive operations with strict CORS.
return c.SendString("ok")
})
app.Listen(":3000")
}
3) Disable CORS for internal routes or when not needed:
package main
import (
"github.com/gofiber/fiber/v2"
)
func main() {
app := fiber.New()
// Public endpoint with no CORS middleware; or apply selectively.
app.Get("/healthz", func(c *fiber.Ctx) error {
return c.SendStatus(fiber.StatusOK)
})
// Apply CORS only to routes that need it.
corsMiddleware := cors.New(cors.Config{
AllowOrigins: "https://trusted.example.com",
AllowMethods: "GET",
AllowCredentials: false,
})
app.Get("/api/data", corsMiddleware, func(c *fiber.Ctx) error {
return c.JSON(fiber.Map{"data": "secure"})
})
app.Listen(":3000")
}
Additional recommendations: avoid AllowHeaders: "*"; prefer explicit header names; set AllowCredentials only when necessary and combine with specific origins; use MaxAge to reduce preflight requests; and enforce CSRF protections and SameSite cookies for session safety. middleBrick’s CORS checks can help identify wildcard usage and suggest tighter configurations aligned with frameworks like OWASP API Security Top 10.
Related CWEs: dataExposure
| CWE ID | Name | Severity |
|---|---|---|
| CWE-200 | Exposure of Sensitive Information | HIGH |
| CWE-209 | Error Information Disclosure | MEDIUM |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | HIGH |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | MEDIUM |
| CWE-312 | Cleartext Storage of Sensitive Information | HIGH |
| CWE-359 | Exposure of Private Personal Information (PII) | HIGH |
| CWE-522 | Insufficiently Protected Credentials | CRITICAL |
| CWE-532 | Insertion of Sensitive Information into Log File | MEDIUM |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File | HIGH |
| CWE-540 | Inclusion of Sensitive Information in Source Code | HIGH |