rocket_contrib

Module helmet

Source
Expand description

Security and privacy headers for all outgoing responses.

SpaceHelmet provides a typed interface for HTTP security headers. It takes some inspiration from helmetjs, a similar piece of middleware for express.

§Enabling

This module is only available when the helmet feature is enabled. Enable it in Cargo.toml as follows:

[dependencies.rocket_contrib]
version = "0.4.11"
default-features = false
features = ["helmet"]

§Supported Headers

HTTP HeaderDescriptionPolicyDefault?
X-XSS-ProtectionPrevents some reflected XSS attacks.XssFilter
X-Content-Type-OptionsPrevents client sniffing of MIME type.NoSniff
X-Frame-OptionsPrevents clickjacking.Frame
Strict-Transport-SecurityEnforces strict use of HTTPS.Hsts?
Expect-CTEnables certificate transparency.ExpectCt
Referrer-PolicyEnables referrer policy.Referrer

? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.

§Usage

To apply default headers, simply attach an instance of SpaceHelmet before launching:

use rocket_contrib::helmet::SpaceHelmet;

let rocket = rocket::ignite().attach(SpaceHelmet::default());

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of SpaceHelmet, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of SpaceHelmet:

use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};

let site_uri = Uri::parse("https://mysite.example.com").unwrap();
let report_uri = Uri::parse("https://report.example.com").unwrap();
let helmet = SpaceHelmet::default()
    .enable(Hsts::default())
    .enable(Frame::AllowFrom(site_uri))
    .enable(XssFilter::EnableReport(report_uri))
    .disable::<NoSniff>();

§FAQ

  • Which policies should I choose?

    See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.

  • Do I need any headers beyond what SpaceHelmet enables by default?

    Maybe! The other headers can protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.

Structs§

  • A Fairing that adds HTTP headers to outgoing responses that control security features on the browser.

Enums§

Traits§

  • Trait implemented by security and privacy policy headers.