Module rocket::shield[][src]

Expand description

Security and privacy headers for all outgoing responses.

The Shield fairing provides a typed interface for injecting HTTP security and privacy headers into all outgoing responses. It takes some inspiration from helmetjs, a similar piece of middleware for express.

Supported Headers

HTTP HeaderDescriptionPolicyDefault?
X-XSS-ProtectionPrevents some reflected XSS attacks.XssFilter
X-Content-Type-OptionsPrevents client sniffing of MIME type.NoSniff
X-Frame-OptionsPrevents clickjacking.Frame
Strict-Transport-SecurityEnforces strict use of HTTPS.Hsts?
Expect-CTEnables certificate transparency.ExpectCt
Referrer-PolicyEnables referrer policy.Referrer
X-DNS-Prefetch-ControlControls browser DNS prefetching.Prefetch
Permissions-PolicyAllows or block browser features.Permission

? If TLS is enabled in a non-debug profile, HSTS is automatically enabled with its default policy and a warning is logged at liftoff.

Usage

By default, Shield::default() is attached to all instances Rocket. To change the default, including removing all Shield headers, attach a configured instance of Shield:

use rocket::shield::Shield;

#[launch]
fn rocket() -> _ {
    // Remove all `Shield` headers.
    rocket::build().attach(Shield::new())
}

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of Shield, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of Shield:

use time::Duration;

use rocket::http::uri::Uri;
use rocket::shield::{Shield, Referrer, Prefetch, ExpectCt, NoSniff};

let report_uri = uri!("https://report.rocket.rs");
let shield = Shield::default()
    .enable(Referrer::NoReferrer)
    .enable(Prefetch::Off)
    .enable(ExpectCt::ReportAndEnforce(Duration::days(30), report_uri))
    .disable::<NoSniff>();

FAQ

  • Which policies should I choose?

    See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.

  • Do I need any headers beyond what Shield enables by default?

    Maybe! The other headers may protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.

Structs

The Permissions-Policy header: allow or block the use of browser features.

A Fairing that injects browser security and privacy headers into all outgoing responses.

Enums

Specifies the origin(s) allowed to access a browser Feature via Permission.

The Expect-CT header: enables reporting and/or enforcement of Certificate Transparency.

A browser feature that can be enabled or blocked via Permission.

The X-Frame-Options header: helps prevent clickjacking attacks.

The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.

The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.

The X-DNS-Prefetch-Control header: controls browser DNS prefetching.

The Referrer-Policy header: controls the value set by the browser for the Referer header.

The X-XSS-Protection header: filters some forms of reflected XSS attacks. Modern browsers do not support or enorce this header.

Traits

Trait implemented by security and privacy policy headers.