Module rocket_contrib::helmet

Expand description

Security and privacy headers for all outgoing responses.

SpaceHelmet provides a typed interface for HTTP security headers. It takes some inspiration from helmetjs, a similar piece of middleware for express.

§Enabling

This module is only available when the helmet feature is enabled. Enable it in Cargo.toml as follows:

[dependencies.rocket_contrib]
version = "0.4.11"
default-features = false
features = ["helmet"]

§Supported Headers

HTTP Header	Description	Policy	Default?
X-XSS-Protection	Prevents some reflected XSS attacks.	`XssFilter`	✔
X-Content-Type-Options	Prevents client sniffing of MIME type.	`NoSniff`	✔
X-Frame-Options	Prevents clickjacking.	`Frame`	✔
Strict-Transport-Security	Enforces strict use of HTTPS.	`Hsts`	?
Expect-CT	Enables certificate transparency.	`ExpectCt`	✗
Referrer-Policy	Enables referrer policy.	`Referrer`	✗

? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.

§Usage

To apply default headers, simply attach an instance of SpaceHelmet before launching:

use rocket_contrib::helmet::SpaceHelmet;

let rocket = rocket::ignite().attach(SpaceHelmet::default());

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of SpaceHelmet, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of SpaceHelmet:

use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};

let site_uri = Uri::parse("https://mysite.example.com").unwrap();
let report_uri = Uri::parse("https://report.example.com").unwrap();
let helmet = SpaceHelmet::default()
    .enable(Hsts::default())
    .enable(Frame::AllowFrom(site_uri))
    .enable(XssFilter::EnableReport(report_uri))
    .disable::<NoSniff>();

§FAQ

Which policies should I choose?

See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.
Do I need any headers beyond what SpaceHelmet enables by default?

Maybe! The other headers can protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.

Structs§

SpaceHelmet
A Fairing that adds HTTP headers to outgoing responses that control security features on the browser.

Enums§

ExpectCt
The Expect-CT header: enables Certificate Transparency to detect and prevent misuse of TLS certificates.
Frame
The X-Frame-Options header: helps prevent clickjacking attacks.
Hsts
The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.
NoSniff
The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.
Referrer
The Referrer-Policy header: controls the value set by the browser for the Referer header.
XssFilter
The X-XSS-Protection header: filters some forms of reflected XSS attacks.

Traits§

Policy
Trait implemented by security and privacy policy headers.

Module rocket_contrib::helmetCopy item path