rocket

Module shield

Source
Expand description

Security and privacy headers for all outgoing responses.

The Shield fairing provides a typed interface for injecting HTTP security and privacy headers into all outgoing responses. It takes some inspiration from helmetjs, a similar piece of middleware for express.

§Supported Headers

HTTP HeaderDescriptionPolicyDefault?
X-XSS-ProtectionPrevents some reflected XSS attacks.XssFilter
X-Content-Type-OptionsPrevents client sniffing of MIME type.NoSniff
X-Frame-OptionsPrevents clickjacking.Frame
Strict-Transport-SecurityEnforces strict use of HTTPS.Hsts?
Expect-CTEnables certificate transparency.ExpectCt
Referrer-PolicyEnables referrer policy.Referrer
X-DNS-Prefetch-ControlControls browser DNS prefetching.Prefetch
Permissions-PolicyAllows or block browser features.Permission

? If TLS is enabled in a non-debug profile, HSTS is automatically enabled with its default policy and a warning is logged at liftoff.

§Usage

By default, Shield::default() is attached to all instances Rocket. To change the default, including removing all Shield headers, attach a configured instance of Shield:

use rocket::shield::Shield;

#[launch]
fn rocket() -> _ {
    // Remove all `Shield` headers.
    rocket::build().attach(Shield::new())
}

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of Shield, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of Shield:

use time::Duration;

use rocket::http::uri::Uri;
use rocket::shield::{Shield, Referrer, Prefetch, ExpectCt, NoSniff};

let report_uri = uri!("https://report.rocket.rs");
let shield = Shield::default()
    .enable(Referrer::NoReferrer)
    .enable(Prefetch::Off)
    .enable(ExpectCt::ReportAndEnforce(Duration::days(30), report_uri))
    .disable::<NoSniff>();

§FAQ

  • Which policies should I choose?

    See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.

  • Do I need any headers beyond what Shield enables by default?

    Maybe! The other headers may protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.

Structs§

Enums§

Traits§

  • Trait implemented by security and privacy policy headers.