2 posts tagged with "middleware"

Security bugs in middleware are often not algorithm bugs. They are extraction-policy bugs.

One component reads bearer tokens from headers, another falls back to query parameters first, a third uses cookie-first behavior. Each of these can work in isolation, but together they create inconsistent security posture. During an auth migration, the problem multiplies: old services use one extraction path, new services use another, and nobody is sure which fallback order is actually active in production.

The extractors package in Fiber v3 exists to solve this. It gives middleware a shared, composable API for declaring where values come from and in what order, so extraction policy is explicit and reviewable rather than scattered across handler code.

Static delivery is one of those topics that seems boring until it breaks.

A frontend deploy goes out, cache headers are wrong, the browser serves stale files, and suddenly support channels fill with "I still see the old UI" messages. Or worse: your container image uses a different working directory than local dev, and assets that worked locally return 404 in production.

Fiber v3 gives you a very capable static middleware surface. The trick is not only to use it, but to use it with clear policy.