Expand description
actix-web-helmet is a middleware for securing your Actix-Web application with various HTTP headers.
actix_web_helmet::Helmet is a middleware that can be used to set various HTTP headers that can help protect your app from well-known web vulnerabilities.
It is based on the Helmet middleware for Express.js.
§Usage
use actix_web::{web, App, HttpServer, Responder, get};
use actix_web_helmet::{Helmet, HelmetMiddleware};
#[get("/")]
async fn index() -> impl Responder {
"Hello, World!"
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
let helmet: HelmetMiddleware = Helmet::default().try_into().expect("valid headers");
HttpServer::new(move || App::new().wrap(helmet.clone()).service(index))
.bind(("127.0.0.1", 8080))?
.run()
.await
}By default Helmet will set the following headers:
Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.
§Configuration
By default if you construct a new instance of Helmet it will not set any headers.
It is possible to configure Helmet to set only the headers you want, by using the add method.
use actix_web::{get, web, App, HttpServer, Responder};
use actix_web_helmet::{Helmet, HelmetMiddleware, ContentSecurityPolicy, CrossOriginOpenerPolicy};
#[get("/")]
async fn index() -> impl Responder {
"Hello, World!"
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
let helmet: HelmetMiddleware = Helmet::new()
.add(
ContentSecurityPolicy::new()
.child_src(vec!["'self'"])
.child_src(vec!["'self'", "https://youtube.com"])
.connect_src(vec!["'self'", "https://youtube.com"])
.default_src(vec!["'self'", "https://youtube.com"])
.font_src(vec!["'self'", "https://youtube.com"]),
)
.add(CrossOriginOpenerPolicy::same_origin_allow_popups())
.try_into()
.expect("valid headers");
HttpServer::new(move || {
App::new().wrap(helmet.clone()).service(index)
})
.bind(("127.0.0.1", 8080))?
.run()
.await
}Structs§
- Content
Security Policy - Manages
Content-Security-Policyheader - Helmet
- Helmet header configuration wrapper.
- Helmet
Middleware - The actix-web middleware created by converting a
Helmetconfiguration. - Helmet
Service - Origin
Agent Cluster - Manages
Origin-Agent-Clusterheader - Strict
Transport Security - Manages
Strict-Transport-Securityheader - XPowered
By - Manages
X-Powered-Byheader - XXSS
Protection - Manages
X-XSS-Protectionheader
Enums§
- Cross
Origin Embedder Policy - Manages
Cross-Origin-Embedder-Policyheader - Cross
Origin Opener Policy - Manages
Cross-Origin-Opener-Policyheader - Cross
Origin Resource Policy - Manages
Cross-Origin-Resource-Policyheader - Helmet
Error - Error returned when a header name or value cannot be converted to a valid HTTP header.
- Referrer
Policy - Manages
Referrer-Policyheader - XContent
Type Options - Manages
X-Content-Type-Optionsheader - XDNS
Prefetch Control - Manages
X-DNS-Prefetch-Controlheader - XDownload
Options - Manages
X-Download-Optionsheader - XFrame
Options - Manages
X-Frame-Optionsheader - XPermitted
Cross Domain Policies - Manages
X-Permitted-Cross-Domain-Policiesheader
Type Aliases§
- Header
- Header trait