Module rocket_contrib::helmet[][src]

Security and privacy headers for all outgoing responses.

SpaceHelmet provides a typed interface for HTTP security headers. It takes some inspiration from helmetjs, a similar piece of middleware for express.


This module is only available when the helmet feature is enabled. Enable it in Cargo.toml as follows:

version = "0.4.7"
default-features = false
features = ["helmet"]

Supported Headers

HTTP HeaderDescriptionPolicyDefault?
X-XSS-ProtectionPrevents some reflected XSS attacks.XssFilter
X-Content-Type-OptionsPrevents client sniffing of MIME type.NoSniff
X-Frame-OptionsPrevents clickjacking.Frame
Strict-Transport-SecurityEnforces strict use of HTTPS.Hsts?
Expect-CTEnables certificate transparency.ExpectCt
Referrer-PolicyEnables referrer policy.Referrer

? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.


To apply default headers, simply attach an instance of SpaceHelmet before launching:

use rocket_contrib::helmet::SpaceHelmet;

let rocket = rocket::ignite().attach(SpaceHelmet::default());

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of SpaceHelmet, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of SpaceHelmet:

use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};

let site_uri = Uri::parse("").unwrap();
let report_uri = Uri::parse("").unwrap();
let helmet = SpaceHelmet::default()




A Fairing that adds HTTP headers to outgoing responses that control security features on the browser.



The Expect-CT header: enables Certificate Transparency to detect and prevent misuse of TLS certificates.


The X-Frame-Options header: helps prevent clickjacking attacks.


The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.


The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.


The Referrer-Policy header: controls the value set by the browser for the Referer header.


The X-XSS-Protection header: filters some forms of reflected XSS attacks.



Trait implemented by security and privacy policy headers.