Expand description
Security and privacy headers for all outgoing responses.
SpaceHelmet
provides a typed interface for HTTP security headers. It
takes some inspiration from helmetjs, a similar piece of middleware for
express.
§Enabling
This module is only available when the helmet
feature is enabled. Enable
it in Cargo.toml
as follows:
[dependencies.rocket_contrib]
version = "0.4.11"
default-features = false
features = ["helmet"]
§Supported Headers
HTTP Header | Description | Policy | Default? |
---|---|---|---|
X-XSS-Protection | Prevents some reflected XSS attacks. | XssFilter | ✔ |
X-Content-Type-Options | Prevents client sniffing of MIME type. | NoSniff | ✔ |
X-Frame-Options | Prevents clickjacking. | Frame | ✔ |
Strict-Transport-Security | Enforces strict use of HTTPS. | Hsts | ? |
Expect-CT | Enables certificate transparency. | ExpectCt | ✗ |
Referrer-Policy | Enables referrer policy. | Referrer | ✗ |
? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.
§Usage
To apply default headers, simply attach an instance of SpaceHelmet
before launching:
use rocket_contrib::helmet::SpaceHelmet;
let rocket = rocket::ignite().attach(SpaceHelmet::default());
Each header can be configured individually. To enable a particular header,
call the chainable enable()
method
on an instance of SpaceHelmet
, passing in the configured policy type.
Similarly, to disable a header, call the chainable
disable()
method on an instance of
SpaceHelmet
:
use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};
let site_uri = Uri::parse("https://mysite.example.com").unwrap();
let report_uri = Uri::parse("https://report.example.com").unwrap();
let helmet = SpaceHelmet::default()
.enable(Hsts::default())
.enable(Frame::AllowFrom(site_uri))
.enable(XssFilter::EnableReport(report_uri))
.disable::<NoSniff>();
§FAQ
-
Which policies should I choose?
See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.
-
Do I need any headers beyond what
SpaceHelmet
enables by default?Maybe! The other headers can protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.
Structs§
- A
Fairing
that adds HTTP headers to outgoing responses that control security features on the browser.
Enums§
- The Expect-CT header: enables Certificate Transparency to detect and prevent misuse of TLS certificates.
- The X-Frame-Options header: helps prevent clickjacking attacks.
- The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.
- The Referrer-Policy header: controls the value set by the browser for the Referer header.
- The X-XSS-Protection header: filters some forms of reflected XSS attacks.
Traits§
- Trait implemented by security and privacy policy headers.