[][src]Module rocket_contrib::helmet

Security and privacy headers for all outgoing responses.

SpaceHelmet provides a typed interface for HTTP security headers. It takes some inspiration from helmetjs, a similar piece of middleware for express.

Enabling

This module is only available when the helmet feature is enabled. Enable it in Cargo.toml as follows:

[dependencies.rocket_contrib]
version = "0.4.0"
default-features = false
features = ["helmet"]

Supported Headers

HTTP Header Description Policy Default?
X-XSS-Protection Prevents some reflected XSS attacks. XssFilter
X-Content-Type-Options Prevents client sniffing of MIME type. NoSniff
X-Frame-Options Prevents clickjacking. Frame
Strict-Transport-Security Enforces strict use of HTTPS. Hsts ?
Expect-CT Enables certificate transparency. ExpectCt
Referrer-Policy Enables referrer policy. Referrer

? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.

Usage

To apply default headers, simply attach an instance of SpaceHelmet before launching:

use rocket_contrib::helmet::SpaceHelmet;

let rocket = rocket::ignite().attach(SpaceHelmet::default());

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of SpaceHelmet, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of SpaceHelmet:

use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};

let site_uri = Uri::parse("https://mysite.example.com").unwrap();
let report_uri = Uri::parse("https://report.example.com").unwrap();
let helmet = SpaceHelmet::default()
    .enable(Hsts::default())
    .enable(Frame::AllowFrom(site_uri))
    .enable(XssFilter::EnableReport(report_uri))
    .disable::<NoSniff>();

FAQ

Structs

SpaceHelmet

A Fairing that adds HTTP headers to outgoing responses that control security features on the browser.

Enums

ExpectCt

The Expect-CT header: enables Certificate Transparency to detect and prevent misuse of TLS certificates.

Frame

The X-Frame-Options header: helps prevent clickjacking attacks.

Hsts

The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.

NoSniff

The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.

Referrer

The Referrer-Policy header: controls the value set by the browser for the Referer header.

XssFilter

The X-XSS-Protection header: filters some forms of reflected XSS attacks.

Traits

Policy

Trait implemented by security and privacy policy headers.