[][src]Module rocket_contrib::helmet

Security and privacy headers for all outgoing responses.

SpaceHelmet provides a typed interface for HTTP security headers. It takes some inspiration from helmetjs, a similar piece of middleware for express.

Enabling

This module is only available when the helmet feature is enabled. Enable it in Cargo.toml as follows:

[dependencies.rocket_contrib]
version = "0.4.5"
default-features = false
features = ["helmet"]

Supported Headers

HTTP HeaderDescriptionPolicyDefault?
X-XSS-ProtectionPrevents some reflected XSS attacks.XssFilter
X-Content-Type-OptionsPrevents client sniffing of MIME type.NoSniff
X-Frame-OptionsPrevents clickjacking.Frame
Strict-Transport-SecurityEnforces strict use of HTTPS.Hsts?
Expect-CTEnables certificate transparency.ExpectCt
Referrer-PolicyEnables referrer policy.Referrer

? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.

Usage

To apply default headers, simply attach an instance of SpaceHelmet before launching:

use rocket_contrib::helmet::SpaceHelmet;

let rocket = rocket::ignite().attach(SpaceHelmet::default());

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of SpaceHelmet, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of SpaceHelmet:

use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};

let site_uri = Uri::parse("https://mysite.example.com").unwrap();
let report_uri = Uri::parse("https://report.example.com").unwrap();
let helmet = SpaceHelmet::default()
    .enable(Hsts::default())
    .enable(Frame::AllowFrom(site_uri))
    .enable(XssFilter::EnableReport(report_uri))
    .disable::<NoSniff>();

FAQ

Structs

SpaceHelmet

A Fairing that adds HTTP headers to outgoing responses that control security features on the browser.

Enums

ExpectCt

The Expect-CT header: enables Certificate Transparency to detect and prevent misuse of TLS certificates.

Frame

The X-Frame-Options header: helps prevent clickjacking attacks.

Hsts

The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.

NoSniff

The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.

Referrer

The Referrer-Policy header: controls the value set by the browser for the Referer header.

XssFilter

The X-XSS-Protection header: filters some forms of reflected XSS attacks.

Traits

Policy

Trait implemented by security and privacy policy headers.