Module rocket::shield

Security and privacy headers for all outgoing responses.

The Shield fairing provides a typed interface for injecting HTTP security and privacy headers into all outgoing responses. It takes some inspiration from helmetjs, a similar piece of middleware for express.

Supported Headers

HTTP Header	Description	Policy	Default?
X-XSS-Protection	Prevents some reflected XSS attacks.	XssFilter	✗
X-Content-Type-Options	Prevents client sniffing of MIME type.	NoSniff	✔
X-Frame-Options	Prevents clickjacking.	Frame	✔
Strict-Transport-Security	Enforces strict use of HTTPS.	Hsts	?
Expect-CT	Enables certificate transparency.	ExpectCt	✗
Referrer-Policy	Enables referrer policy.	Referrer	✗
X-DNS-Prefetch-Control	Controls browser DNS prefetching.	Prefetch	✗
Permissions-Policy	Allows or block browser features.	Permission	✔

? If TLS is enabled in a non-debug profile, HSTS is automatically enabled with its default policy and a warning is logged at liftoff.

Usage

By default, Shield::default() is attached to all instances Rocket. To change the default, including removing all Shield headers, attach a configured instance of Shield:

use rocket::shield::Shield;

#[launch]
fn rocket() -> _ {
    // Remove all `Shield` headers.
    rocket::build().attach(Shield::new())
}

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of Shield, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of Shield:

use time::Duration;

use rocket::http::uri::Uri;
use rocket::shield::{Shield, Referrer, Prefetch, ExpectCt, NoSniff};

let report_uri = uri!("https://report.rocket.rs");
let shield = Shield::default()
    .enable(Referrer::NoReferrer)
    .enable(Prefetch::Off)
    .enable(ExpectCt::ReportAndEnforce(Duration::days(30), report_uri))
    .disable::<NoSniff>();

FAQ

• Which policies should I choose?

  See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.

• Do I need any headers beyond what Shield enables by default?

  Maybe! The other headers may protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.

Structs

• Permission
  The Permissions-Policy header: allow or block the use of browser features.
• Shield
  A Fairing that injects browser security and privacy headers into all outgoing responses.

Enums

• Allow
  Specifies the origin(s) allowed to access a browser Feature via Permission.
• ExpectCt
  The Expect-CT header: enables reporting and/or enforcement of Certificate Transparency.
• Feature
  A browser feature that can be enabled or blocked via Permission.
• Frame
  The X-Frame-Options header: helps prevent clickjacking attacks.
• Hsts
  The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.
• NoSniff
  The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.
• Prefetch
  The X-DNS-Prefetch-Control header: controls browser DNS prefetching.
• Referrer
  The Referrer-Policy header: controls the value set by the browser for the Referer header.
• XssFilter
  The X-XSS-Protection header: filters some forms of reflected XSS attacks. Modern browsers do not support or enforce this header.

Traits

• Policy
  Trait implemented by security and privacy policy headers.