fiber-routing-and-csrf-protection

Fiber Routing And Csrf Protection Skill

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "fiber-routing-and-csrf-protection" with this command: npx skills add oimiragieo/agent-studio/oimiragieo-agent-studio-fiber-routing-and-csrf-protection

Fiber Routing And Csrf Protection Skill

  • Use Fiber's App.Get/Post/etc for routing HTMX requests

  • Implement CSRF protection with Fiber middleware

  • Utilize Fiber's Context for handling HTMX-specific headers

  • Use Fiber's template engine for server-side rendering

Iron Laws

  • ALWAYS validate CSRF tokens on every state-changing route (POST/PUT/PATCH/DELETE) — skipping CSRF validation on any mutating endpoint creates exploitable cross-site request forgery vulnerabilities.

  • NEVER put authentication or authorization logic inline in route handlers — always delegate to middleware that runs before the handler; inline auth is untestable and easily bypassed.

  • ALWAYS use Fiber's ctx.Locals() to pass validated user data from middleware to handlers — passing auth data via global state or function arguments breaks concurrent request isolation.

  • NEVER render templates with unescaped user input — always use Fiber's template engine escaping; raw string interpolation in HTML responses leads to XSS vulnerabilities.

  • ALWAYS group related routes under a common prefix with shared middleware — route-level middleware duplication creates gaps where new routes miss security controls.

Anti-Patterns

Anti-Pattern Why It Fails Correct Approach

Skipping CSRF middleware on "safe" routes Attackers escalate via chained requests; partial protection = no protection Apply csrf.New() middleware at the group level, not per-route

Inline auth checks in handlers Code duplicates across handlers; one missed check = full bypass Use authMiddleware in app.Group() before registering any handler

Passing user ID via query params Trivially forgeable; exposes internal IDs in logs and browser history Store validated user in ctx.Locals("user", user) from middleware

Concatenating user input into templates XSS vector; template engine escaping bypassed Use c.Render() with template variables; never fmt.Sprintf HTML

One flat file for all routes Unmanageable at scale; impossible to apply group-scoped middleware Organize routes into feature groups with app.Group("/feature")

Memory Protocol (MANDATORY)

Before starting:

cat .claude/context/memory/learnings.md

After completing: Record any new patterns or exceptions discovered.

ASSUME INTERRUPTION: Your context may reset. If it's not in memory, it didn't happen.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Automation

filesystem

No summary provided by upstream source.

Repository SourceNeeds Review
137-oimiragieo
Automation

slack-notifications

No summary provided by upstream source.

Repository SourceNeeds Review
90-oimiragieo
Automation

chrome-browser

No summary provided by upstream source.

Repository SourceNeeds Review
89-oimiragieo
Automation

diagram-generator

No summary provided by upstream source.

Repository SourceNeeds Review
79-oimiragieo