Skip to main content
Version: v2.x

Encrypt Cookie

Encrypt Cookie is a middleware for Fiber that secures your cookie values through encryption.


This middleware encrypts cookie values and not the cookie names.


// Intitializes the middleware
func New(config ...Config) fiber.Handler

// Returns a random 32 character long string
func GenerateKey() string


To use the Encrypt Cookie middleware, first, import the middleware package as part of the Fiber web framework:

import (

Once you've imported the middleware package, you can use it inside your Fiber app:

// Provide a minimal configuration
Key: "secret-thirty-2-character-string",

// Retrieve the encrypted cookie value
app.Get("/", func(c *fiber.Ctx) error {
return c.SendString("value=" + c.Cookies("test"))

// Create an encrypted cookie
app.Post("/", func(c *fiber.Ctx) error {
Name: "test",
Value: "SomeThing",
return nil

Key must be a 32 character string. It's used to encrypt the values, so make sure it is random and keep it secret. You can run openssl rand -base64 32 or call encryptcookie.GenerateKey() to create a random key for you. Make sure not to set Key to encryptcookie.GenerateKey() because that will create a new key every run.


Nextfunc(*fiber.Ctx) boolA function to skip this middleware when returned true.nil
Except[]stringArray of cookie keys that should not be encrypted.[]
KeystringA base64-encoded unique key to encode & decode cookies. Required. Key length should be 32 characters.(No default, required field)
Encryptorfunc(decryptedString, key string) (string, error)A custom function to encrypt cookies.EncryptCookie
Decryptorfunc(encryptedString, key string) (string, error)A custom function to decrypt cookies.DecryptCookie

Default Config

var ConfigDefault = Config{
Next: nil,
Except: []string{},
Key: "",
Encryptor: EncryptCookie,
Decryptor: DecryptCookie,

Usage With Other Middlewares That Reads Or Modify Cookies

Place the encryptcookie middleware before any other middleware that reads or modifies cookies. For example, if you are using the CSRF middleware, ensure that the encryptcookie middleware is placed before it. Failure to do so may prevent the CSRF middleware from reading the encrypted cookie.

You may also choose to exclude certain cookies from encryption. For instance, if you are using the CSRF middleware with a frontend framework like Angular, and the framework reads the token from a cookie, you should exclude that cookie from encryption. This can be achieved by adding the cookie name to the Except array in the configuration:

Key: "secret-thirty-2-character-string",
Except: []string{csrf.ConfigDefault.CookieName}, // exclude CSRF cookie
KeyLookup: "header:" + csrf.HeaderName,
CookieSameSite: "Lax",
CookieSecure: true,
CookieHTTPOnly: false,