http-security-headers 0.2.0

Type-safe, framework-agnostic HTTP security headers with Tower middleware support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

#![cfg(feature = "middleware")]

use std::convert::Infallible;
use std::sync::Arc;

use axum::{routing::get, Router};
use http::Request;
use http_security_headers::{Preset, SecurityHeadersLayer};
use tower::ServiceExt;

#[tokio::test]
async fn security_headers_layer_applies_headers_in_axum() {
    let config = Arc::new(Preset::Balanced.build());
    let app = Router::new()
        .route("/", get(|| async { Ok::<_, Infallible>("ok") }))
        .layer(SecurityHeadersLayer::new(config));

    let response = app
        .clone()
        .oneshot(Request::get("/").body(axum::body::Body::empty()).unwrap())
        .await
        .expect("request should succeed");

    let headers = response.headers();
    assert!(headers.contains_key(http::header::STRICT_TRANSPORT_SECURITY));
    assert!(headers.contains_key(http::header::X_FRAME_OPTIONS));
    assert!(headers.contains_key(http::header::X_CONTENT_TYPE_OPTIONS));
    assert!(headers.contains_key(http::header::REFERRER_POLICY));
}