logo
pub enum Hsts {
    Enable(Duration),
    IncludeSubDomains(Duration),
    Preload(Duration),
}
Expand description

The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.

HSTS tells the browser that the site should only be accessed using HTTPS instead of HTTP. HSTS prevents a variety of downgrading attacks and should always be used when TLS is enabled. Shield will turn HSTS on and issue a warning if you enable TLS without enabling HSTS when the application is run in non-debug profiles.

While HSTS is important for HTTPS security, incorrectly configured HSTS can lead to problems as you are disallowing access to non-HTTPS enabled parts of your site. Yelp engineering has good discussion of potential challenges that can arise and how to roll this out in a large scale setting. So, if you use TLS, use HSTS, but roll it out with care.

Variants

Enable(Duration)

Browser should only permit this site to be accesses by HTTPS for the next Duration.

IncludeSubDomains(Duration)

Like Hsts::Enable, but also apply to all of the site’s subdomains.

Preload(Duration)

Send a “preload” HSTS header, which requests inclusion in the HSTS preload list. This variant implies Hsts::IncludeSubDomains, which implies Hsts::Enable.

The provided Duration must be at least 365 days. If the duration provided is less than 365 days, the header will be written out with a max-age of 365 days.

Details

Google maintains an HSTS preload service that can be used to prevent the browser from ever connecting to your site over an insecure connection. Read more at MDN. Don’t enable this before you have registered your site and you ensure that it meets the requirements specified by the preload service.

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Defaults to Hsts::Enable(Duration::days(365)).

Returns the “default value” for a type. Read more

Converts to this type from the input type.

This method tests for self and other values to be equal, and is used by ==. Read more

This method tests for !=.

The actual name of the HTTP header. Read more

Returns the Header to attach to all outgoing responses. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Converts self into a collection.

Should always be Self

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

🔬 This is a nightly-only experimental API. (toowned_clone_into)

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more