Expand description
Security headers middleware – a Helmet.js equivalent for arcly-http.
§Quick start
The default configuration applies the recommended OWASP header set
automatically. To customise, call configure once at server startup
(before App::launch):
ⓘ
use arcly_http::security::{configure, SecurityConfig, FrameOptions};
security::configure(SecurityConfig {
hsts_max_age: 0, // disable HSTS in dev
frame_options: FrameOptions::SameOrigin,
..SecurityConfig::default()
});§Headers emitted (defaults)
| Header | Default value |
|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
X-XSS-Protection | 1; mode=block |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | restrictive: camera, mic, geo, payment |
Content-Security-Policy | default-src 'self' (relaxed for /docs) |
Structs§
- Security
Config - Full security header configuration.
Enums§
- Frame
Options - Controls what
X-Frame-Optionsheader is emitted.
Functions§
- apply_
security_ headers - Apply all configured security headers to every response.
- configure
- Install a custom security configuration.