Encrypt Cookie
The Encrypt Cookie middleware for Fiber encrypts cookie values for secure storage.
This middleware encrypts cookie values but not cookie names.
Signaturesβ
// Initializes the middleware
func New(config ...Config) fiber.Handler
// GenerateKey returns a random string of 16, 24, or 32 bytes.
// The length of the key determines the AES encryption algorithm used:
// 16 bytes for AES-128, 24 bytes for AES-192, and 32 bytes for AES-256-GCM.
func GenerateKey(length int) string
Examplesβ
Import the middleware package:
import (
"github.com/gofiber/fiber/v3"
"github.com/gofiber/fiber/v3/middleware/encryptcookie"
)
Once your Fiber app is initialized, register the middleware:
// Provide a minimal configuration
app.Use(encryptcookie.New(encryptcookie.Config{
Key: "secret-32-character-string",
}))
// Retrieve the encrypted cookie value
app.Get("/", func(c fiber.Ctx) error {
return c.SendString("value=" + c.Cookies("test"))
})
// Create an encrypted cookie
app.Post("/", func(c fiber.Ctx) error {
c.Cookie(&fiber.Cookie{
Name: "test",
Value: "SomeThing",
})
return nil
})
Use an encoded key of 16, 24, or 32 bytes to select AESβ128, AESβ192, or AESβ256βGCM. Generate a stable key with openssl rand -base64 32 or encryptcookie.GenerateKey(32) and store it securely. Generating a new key on each startup renders existing cookies unreadable.
Configβ
| Property | Type | Description | Default |
|---|---|---|---|
| Next | func(fiber.Ctx) bool | A function to skip this middleware when it returns true. | nil |
| Except | []string | Array of cookie keys that should not be encrypted. | [] |
| Key | string | A base64-encoded unique key to encode & decode cookies. Required. Key length should be 16, 24, or 32 bytes. | (No default, required field) |
| Encryptor | func(name, decryptedString, key string) (string, error) | A custom function to encrypt cookies. | EncryptCookie |
| Decryptor | func(name, encryptedString, key string) (string, error) | A custom function to decrypt cookies. | DecryptCookie |
Encryptor and Decryptor parametersβ
Custom encryptor and decryptor functions receive three arguments:
name: The cookie name. The default helpers bind this value as additional authenticated data (AAD) so encrypted values can only be decrypted for the same cookie.string: The cookie payload.EncryptCookieaccepts the decrypted value and returns ciphertext, whileDecryptCookiereceives ciphertext and must return the decrypted value.key: The base64-encoded key pulled from the middleware configuration. Use it to derive or validate any encryption keys your implementation requires.
Default Configβ
var ConfigDefault = Config{
Next: nil,
Except: []string{},
Key: "",
Encryptor: EncryptCookie,
Decryptor: DecryptCookie,
}
Use with Other Middleware That Reads or Modifies Cookiesβ
Place encryptcookie before middleware that reads or writes cookies. If you use the CSRF middleware, register encryptcookie first so it can read the token.
Exclude cookies from encryption by listing them in Except. If a frontend framework such as Angular reads the CSRF token from a cookie, add that name to the Except array:
app.Use(encryptcookie.New(encryptcookie.Config{
Key: "secret-thirty-2-character-string",
Except: []string{csrf.ConfigDefault.CookieName}, // exclude CSRF cookie
}))
app.Use(csrf.New(csrf.Config{
Extractor: csrf.FromHeader(csrf.HeaderName),
CookieSameSite: "Lax",
CookieSecure: true,
CookieHTTPOnly: false,
}))
Encryption Algorithmsβ
The default Encryptor and Decryptor functions use AES-256-GCM for encryption and decryption. If you need to use AES-128 or AES-192 instead, you can do so by changing the length of the key when calling encryptcookie.GenerateKey(length) or by providing a key of one of the following lengths:
- AES-128 requires a 16-byte key.
- AES-192 requires a 24-byte key.
- AES-256 requires a 32-byte key.
For example, to generate a key for AES-128:
key := encryptcookie.GenerateKey(16)
And for AES-192:
key := encryptcookie.GenerateKey(24)