🚀 New
- Complete HTTP QUERY method support (#4436, #4456)
Adds the HTTP QUERY method (RFC 10008):fiber.MethodQuery,app.Query()routing, safe/idempotent handling in csrf, idempotency, earlydata and cache, plusclient.Query()shorthands.https://docs.gofiber.io/client/rest#queryapp.Query("/search", func(c fiber.Ctx) error { return c.Send(c.Body()) // QUERY carries the query expression in the body })
- Add WithContext variants for session storage I/O (#4393)
SaveWithContext,DestroyWithContext,RegenerateWithContextandResetWithContextpropagate deadlines/cancellation to the session storage backend; the plain methods keep working unchanged.https://docs.gofiber.io/middleware/session#session-with-context-timeoutscancellationsess := session.FromContext(c) err := sess.SaveWithContext(ctx) // storage write bounded by ctx
- Unify internal and custom constraints into a single interface (#4397)
Built-in and custom route constraints now share oneConstraintHandlerinterface; the optionalConstraintAnalyzerprecomputes constraint data at route registration, removing per-request parsing. ExistingCustomConstraintimplementations keep working unchanged.https://docs.gofiber.io/guide/routing#constrainthandler-interfaceapp.RegisterCustomConstraint(evenConstraint{}) // implements Name() + Execute() app.Get("/items/:id<even>", handler)
- Expose prefork RecoverInterval and ShutdownGracePeriod (#4491)
NewListenConfigknobs:PreforkRecoverIntervaldelays respawning a crashed child (default0) andPreforkShutdownGracePeriodsets how long the master waits after SIGTERM before SIGKILL (default5s).https://docs.gofiber.io/api/fiber#preforkrecoverintervalapp.Listen(":3000", fiber.ListenConfig{ EnablePrefork: true, PreforkRecoverInterval: time.Second, PreforkShutdownGracePeriod: 10 * time.Second, })
🧹 Updates
- Reduce avoidable work in the request hot path (#4490)
- Avoid per-request heap allocation in DefaultErrorHandler (#4446)
- Use sentinel errors on typed-getter and Range parse failures (#4448)
- Replace appendLowerBytes with utilsbytes.UnsafeToLower (#4468)
- Add MIMETextEventStream constant (#4415)
- Cache binder decoder type metadata across requests (#4447)
- Eliminate double reflection in binder mergeStruct (-10% allocs) (#4385)
- Reduce binder data map allocations (#4379)
- cache: Append canonical key segments into the pooled buffer (#4450)
- cors: Optimize subdomain origin matching (#4482)
- cors: Optimize exact-origin lookup to O(1) (#4368)
- csrf/redirect: Share scheme/host matching and skip url.Parse on the hot path (#4449)
- Narrow client user hook lock scope safely (#4375)
- Raise middleware coverage above 90% for timeout, logger, idempotency, limiter, cache (#4466)
- Cover remaining cors/csrf middleware branches (#4462)
- Add unit tests for isOriginSerializedOrNull (#4461)
- Cover session deadline/error paths and delegate Middleware lifecycle methods (#4435)
- Inject clock to make time-dependent tests deterministic (#4430)
- Rename benchmark cases (#4383)
- Remove test-only dead code and add manual deadcode workflow (#4458)
- Remove dead code flagged by static analysis (#4454)
- Static analysis cleanups (#4444)
- Fix modernize lint issues (#4315)
🐛 Fixes
- Evaluate If-Modified-Since when If-None-Match is absent in Fresh (#4488)
- Fix open redirect via Redirect().Back() by validating the Referer header origin (#4370)
- Fix data race on lazy appListKeys generation in Render (#4440)
- Avoid route fallback errors during server error middleware traversal (#4426)
- Strip all trusted proxy IPs from X-Forwarded-For chain (#4394)
- Guard typed-nil errors (#4407)
- Guard typed-nil Fiber error paths without reflection (#4372)
- Preserve legacy custom constraint arguments (#4432)
- Remove unreachable SameSiteDefaultMode case (#4471)
- Detach quoted filename strings from pooled buffers (#4374)
- Prevent app.init mutex deadlock on panic (#4366)
- Enforce CertClientFile for AutoCertManager TLS (#4312)
- cache: Separate authorization key segment (#4467)
- cache: Hash QUERY body keys (#4459)
- cache: Evaluate freshness after locking (#4419)
- cors: Validate wildcard origins before matching (#4438)
- cors: Reject empty wildcard labels (#4437)
- csrf: Validate nested extractor chains (#4439)
- csrf: Port CORS subdomain match fixes (#4455)
- etag: Skip Server-Sent Events responses (#4487)
- Guard extractor introspection cycles (#4453)
- helmet: Use Scheme() for HTTPS detection and validate HSTS configuration (#4389)
- hostauthorization: Reject malformed hostnames in wildcard path (#4408)
- idempotency: Make MemoryLock safe for zero-value use (#4371)
- limiter: Correct fixed-window hit credit on skipped requests (#4422)
- logger/cache/storage: Remove unbounded background goroutines (#4378)
- pprof/proxy: Fix trailing-slash redirect and balancer empty-server panic (#4421)
- proxy: Bound upstream connections by default (#4369)
- rewrite/redirect: Anchor rules to the start of the path (#4483)
- session: Prevent session fixation by preserving successful extractor in chains (#4469)
- session: Prevent store error disclosure (#4424)
- session: Restore isFresh field name (#4477)
- sse: Preserve trailing newlines in event data (#4414)
- timeout: Isolate default timeout responses (#4442)
- timeout: Reclaim abandoned fiber.Ctx via ScheduleReclaim latch (#4359, #4400)
- Fix client config locking races (#4470)
- Fix client default access race in Replace/C path (#4377)
- Handle panics in client execFunc without crashing callers (#4365)
- Address bugs found in codebase audit (#4420)
- Fix cleanup follow-ups and regression coverage (#4380)
🛠️ Maintenance
22 changes
- bump github.com/klauspost/compress from 1.18.7 to 1.19.0 (#4489)
- bump github.com/klauspost/compress from 1.18.6 to 1.18.7 (#4485)
- bump github.com/andybalholm/brotli from 1.2.1 to 1.2.2 (#4484)
- bump github.com/valyala/fasthttp from 1.71.0 to 1.72.0 in the fasthttp-modules group (#4481)
- bump actions/cache/restore from 6.0.0 to 6.1.0 (#4480)
- bump actions/cache/save from 6.0.0 to 6.1.0 (#4479)
- bump release-drafter/release-drafter from 7.5.0 to 7.5.1 (#4463)
- bump release-drafter/release-drafter from 7.4.0 to 7.5.0 (#4457)
- bump actions/cache from 5.0.5 to 6.0.0 (#4452)
- bump actions/setup-go from 6.4.0 to 6.5.0 (#4451)
- bump actions/checkout from 6.0.3 to 7.0.0 (#4441)
- bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (#4434)
- bump golang.org/x/net from 0.55.0 to 0.56.0 in the golang-modules group (#4425)
- bump github.com/gofiber/schema from 1.7.2 to 1.8.0 (#4417)
- bump the golang-modules group with 2 updates (#4416)
- bump golang.org/x/sys from 0.45.0 to 0.46.0 in the golang-modules group (#4412)
- bump codecov/codecov-action from 6.0.1 to 7.0.0 (#4413)
- bump actions/checkout from 6.0.2 to 6.0.3 (#4398)
- bump github.com/gofiber/schema from 1.7.1 to 1.7.2 (#4396)
- bump github.com/mattn/go-colorable from 0.1.14 to 0.1.15 (#4384)
- bump release-drafter/release-drafter from 7.3.0 to 7.3.1 (#4314)
- bump the golang-modules group with 3 updates (#4310)
📚 Documentation
- Restructure routing guide and split handler partials (#4311)
- Fix Ctx.Scheme/Protocol documentation (#4473, #4474)
- Clarify client hook concurrency contract (#4386)
- keyauth: Fix extractor examples (#4409)
- Add FAQ troubleshooting entry for the "id <= evictCount" (hpack/gRPC) panic (#4475)
- Replace interface{} with any (Go 1.18+) (#4433)
- Document thread-safety contracts for mutex-backed public types (#4367)
- Enhance sponsorship section in README (#4402)
📒 Documentation: https://docs.gofiber.io/next/
💬 Discord: https://gofiber.io/discord
Full Changelog: v3.3.0...v3.4.0
Thank you @0xghost42, @Amirhf1, @DucMinhNe, @Fenny, @MD-Mushfiqur123, @ReneWerner87, @alexandear, @fereidani, @gaby, @james-yusuke, @ksw2000, @nekoworks-magic, @niksis02, @pageton, @sixcolors and @talktokim for making this release possible.