Data Exposure in Fiber with Basic Auth

Basic Authentication in the Fiber web framework transmits credentials with every HTTP request as an Authorization header of the form Authorization: Basic <base64-encoded-credentials>. Because base64 is not encryption, anyone who intercepts or logs the header can decode the username and password. In a black-box scan, middleBrick tests unauthenticated endpoints and checks whether sensitive responses are returned when authentication is missing or bypassed, flagging Data Exposure when endpoints return private data without requiring valid credentials.

When Basic Auth is used incorrectly in Fiber—such as being limited to a subset of routes, missing on some routes, or not enforced before sensitive handlers—middleBrick can observe inconsistent enforcement during its parallel security checks. This inconsistency can expose sensitive data because an attacker may access administrative or data-export endpoints that should be protected. Even when used globally, Basic Auth over unencrypted HTTP leaks credentials in transit, enabling session hijacking and exposing user data that may be returned by the endpoints themselves, such as personally identifiable information (PII), internal identifiers, or business-critical records.

The scan tests for Data Exposure by requesting endpoints that typically return sensitive payloads, looking for unprotected JSON or HTML responses, and checking whether error messages or stack traces reveal internal paths or configuration. Because Base64 is easily reversible, credentials must never be considered secrets; they are only obfuscated. If an API uses Basic Auth over HTTP, middleBrick will highlight both the weak transport and any data returned without proper authentication as high-severity findings under Data Exposure, referencing patterns such as OWASP API Top 10:2023 A05 (Broken Function Level Authorization) and A06 (Security Misconfiguration).

In practice, a vulnerable Fiber route might look like an endpoint that returns a user profile or internal records without additional checks, relying solely on the presence of a Basic Auth header. middleBrick’s unauthenticated scan does not supply credentials for such tests; it flags the endpoint when it receives a 200 OK with sensitive content. This demonstrates that Basic Auth alone does not prevent data exposure if the endpoint lacks its own authorization logic and if transport encryption is absent.

Remediation focuses on two controls: protecting credentials in transit and enforcing authorization at the route or middleware level. Always serve your Fiber application over HTTPS to prevent credential interception; combine this with explicit authorization checks rather than relying on the presence of a Basic Auth header alone. The following examples show how to implement secure Basic Auth in Fiber, including middleware that validates credentials and protects sensitive routes.

First, always use HTTPS. In production, terminate TLS at your load balancer or use Fiber’s ability to start an HTTPS server. Second, implement a reusable Basic Auth middleware that extracts and validates credentials before allowing access to protected handlers.

const { Fiber, Context } = require('fiber');
const crypto = require('crypto');

// Basic Auth middleware
function basicAuth(req, res, next) {
  const authHeader = req.header('Authorization');
  if (!authHeader || !authHeader.startsWith('Basic ')) {
    res.status(401).send('Unauthorized');
    return;
  }
  const base64 = authHeader.split(' ')[1];
  const decoded = Buffer.from(base64, 'base64').toString('utf-8');
  const [username, password] = decoded.split(':');

  // Compare against environment variables; use constant-time comparison in production
  const validUser = process.env.BASIC_USER;
  const validPass = process.env.BASIC_PASS;

  if (username === validUser && password === validPass) {
    next();
  } else {
    res.status(401).send('Invalid credentials');
  }
}

const app = new Fiber();

// Public endpoint, no auth required
app.get('/health', (req, res) => {
  res.json({ status: 'ok' });
});

// Apply middleware to protect sensitive routes
app.all('/admin/*', basicAuth);
app.get('/admin/users', (req, res) => {
  // Only reached if basicAuth passes
  res.json({ users: [{ id: 1, name: 'alice' }] });
});

// Apply globally if all routes require auth (optional)
// app.all('/*', basicAuth);

app.listen(3000, () => console.log('Server running on port 3000'));

This middleware ensures that credentials are checked on each request for protected paths. It avoids treating the Authorization header as a session token by validating on every call. For more robust security, consider replacing Basic Auth with token-based schemes (e.g., Bearer tokens) or session-based authentication, and always enforce authorization at the resource level, not just at the network perimeter.

In the dashboard, you can track how remediation affects your Data Exposure score over time. With the Pro plan, continuous monitoring can alert you if new endpoints expose data without proper authorization. The CLI can be integrated into scripts to verify that endpoints return 401 when credentials are missing. In CI/CD, the GitHub Action can fail a build when a scan detects Data Exposure on authenticated routes, and the MCP Server allows you to run scans directly from your IDE while developing Fiber APIs.