fiber-routing-and-csrf-protection
10
总安装量
9
周安装量
#30883
全站排名
安装命令
npx skills add https://github.com/oimiragieo/agent-studio --skill fiber-routing-and-csrf-protection
Agent 安装分布
github-copilot
8
continue
7
gemini-cli
7
amp
7
codex
7
kimi-cli
7
Skill 文档
Fiber Routing And Csrf Protection Skill
- Use Fiber’s App.Get/Post/etc for routing HTMX requests
- Implement CSRF protection with Fiber middleware
- Utilize Fiber’s Context for handling HTMX-specific headers
- Use Fiber’s template engine for server-side rendering
Iron Laws
- ALWAYS validate CSRF tokens on every state-changing route (POST/PUT/PATCH/DELETE) â skipping CSRF validation on any mutating endpoint creates exploitable cross-site request forgery vulnerabilities.
- NEVER put authentication or authorization logic inline in route handlers â always delegate to middleware that runs before the handler; inline auth is untestable and easily bypassed.
- ALWAYS use Fiber’s
ctx.Locals()to pass validated user data from middleware to handlers â passing auth data via global state or function arguments breaks concurrent request isolation. - NEVER render templates with unescaped user input â always use Fiber’s template engine escaping; raw string interpolation in HTML responses leads to XSS vulnerabilities.
- ALWAYS group related routes under a common prefix with shared middleware â route-level middleware duplication creates gaps where new routes miss security controls.
Anti-Patterns
| Anti-Pattern | Why It Fails | Correct Approach |
|---|---|---|
| Skipping CSRF middleware on “safe” routes | Attackers escalate via chained requests; partial protection = no protection | Apply csrf.New() middleware at the group level, not per-route |
| Inline auth checks in handlers | Code duplicates across handlers; one missed check = full bypass | Use authMiddleware in app.Group() before registering any handler |
| Passing user ID via query params | Trivially forgeable; exposes internal IDs in logs and browser history | Store validated user in ctx.Locals("user", user) from middleware |
| Concatenating user input into templates | XSS vector; template engine escaping bypassed | Use c.Render() with template variables; never fmt.Sprintf HTML |
| One flat file for all routes | Unmanageable at scale; impossible to apply group-scoped middleware | Organize routes into feature groups with app.Group("/feature") |
Memory Protocol (MANDATORY)
Before starting:
cat .claude/context/memory/learnings.md
After completing: Record any new patterns or exceptions discovered.
ASSUME INTERRUPTION: Your context may reset. If it’s not in memory, it didn’t happen.