owasp-headers 0.2.0

best-practice OWASP HTTP response headers ( https://owasp.org/www-project-secure-headers/ ) for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

#![deny(clippy::all, unsafe_code)]
#![warn(missing_docs)]

//! Modern web browsers may prevent or mitigate security vulnerabilities when they encounter the
//! [HTTP response headers recommended by OWASP](https://owasp.org/www-project-secure-headers/).
//!
//! This crate offers these HTTP headers and their values,
//! so that they may be more-conveniently used when developing web services in Rust.
//!
//! Example:
//! ```
//! use std::convert::Infallible;
//! use http::response::Parts;
//! use hyper::{self, Request, Response};
//!
//! // e.g. https://docs.rs/tower/latest/tower/fn.service_fn.html
//! async fn handle(_req: Request<()>) -> http::Result<Response<String>> {
//!     let mut response = Response::new(String::from("hello, world!"));
//!     let mut headers = response.headers_mut();
//!     headers.extend(owasp_headers::headers().into_iter());
//!     Ok(response)
//! }
//! ```
//!
//! If you are developing a web service using
//! [`tower::Service`](https://docs.rs/tower/0.5/tower/trait.Service.html),
//! you may find it even more convenient to apply these headers using
//! [tower-default-headers](https://crates.io/crates/tower-default-headers).

use http::header::{
    CACHE_CONTROL, CONTENT_SECURITY_POLICY, HeaderMap, HeaderValue, PRAGMA, REFERRER_POLICY,
    X_CONTENT_TYPE_OPTIONS, X_FRAME_OPTIONS,
};

/// produces an owned-collection of headers and their values
pub fn headers() -> HeaderMap {
    let mut h = HeaderMap::new();
    h.reserve(13);
    h.insert(
        HTTP_STRICT_TRANSPORT_SECURITY,
        HeaderValue::from_static(HTTP_STRICT_TRANSPORT_SECURITY_DEFAULT),
    );
    h.insert(
        X_FRAME_OPTIONS,
        HeaderValue::from_static(X_FRAME_OPTIONS_DEFAULT),
    );
    h.insert(
        X_CONTENT_TYPE_OPTIONS,
        HeaderValue::from_static(X_CONTENT_TYPE_OPTIONS_DEFAULT),
    );
    h.insert(
        CONTENT_SECURITY_POLICY,
        HeaderValue::from_static(CONTENT_SECURITY_POLICY_DEFAULT),
    );
    h.insert(
        X_PERMITTED_CROSS_DOMAIN_POLICIES,
        HeaderValue::from_static(X_PERMITTED_CROSS_DOMAIN_POLICIES_DEFAULT),
    );
    h.insert(
        REFERRER_POLICY,
        HeaderValue::from_static(REFERRER_POLICY_DEFAULT),
    );
    h.insert(
        CLEAR_SITE_DATA,
        HeaderValue::from_static(CLEAR_SITE_DATA_DEFAULT),
    );
    h.insert(
        CROSS_ORIGIN_EMBEDDER_POLICY,
        HeaderValue::from_static(CROSS_ORIGIN_EMBEDDER_POLICY_DEFAULT),
    );
    h.insert(
        CROSS_ORIGIN_OPENER_POLICY,
        HeaderValue::from_static(SAME_ORIGIN),
    );
    h.insert(
        CROSS_ORIGIN_RESOURCE_POLICY,
        HeaderValue::from_static(SAME_ORIGIN),
    );
    h.insert(
        PERMISSIONS_POLICY,
        HeaderValue::from_static(PERMISSIONS_POLICY_DEFAULT),
    );
    h.insert(
        CACHE_CONTROL,
        HeaderValue::from_static(CACHE_CONTROL_DEFAULT),
    );
    h.insert(PRAGMA, HeaderValue::from_static(PRAGMA_DEFAULT));
    h
}

const CACHE_CONTROL_DEFAULT: &str = "no-store, max-age=0";
const CLEAR_SITE_DATA: &str = "clear-site-data";
const CLEAR_SITE_DATA_DEFAULT: &str = r#""cache","cookies","storage""#;
const CONTENT_SECURITY_POLICY_DEFAULT: &str = "default-src 'self'; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content";
const CROSS_ORIGIN_EMBEDDER_POLICY: &str = "cross-origin-embedder-policy";
const CROSS_ORIGIN_EMBEDDER_POLICY_DEFAULT: &str = "require-corp";
const CROSS_ORIGIN_OPENER_POLICY: &str = "cross-origin-opener-policy";
const CROSS_ORIGIN_RESOURCE_POLICY: &str = "cross-origin-resource-policy";
const HTTP_STRICT_TRANSPORT_SECURITY: &str = "http-strict-transport-security";
const HTTP_STRICT_TRANSPORT_SECURITY_DEFAULT: &str = "max-age=31536000 ; includeSubDomains";
const PERMISSIONS_POLICY: &str = "permissions-policy";
const PERMISSIONS_POLICY_DEFAULT: &str = "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()";
const PRAGMA_DEFAULT: &str = "no-cache";
const REFERRER_POLICY_DEFAULT: &str = "no-referrer";
const SAME_ORIGIN: &str = "same-origin";
const X_CONTENT_TYPE_OPTIONS_DEFAULT: &str = "nosniff";
const X_FRAME_OPTIONS_DEFAULT: &str = "deny";
const X_PERMITTED_CROSS_DOMAIN_POLICIES: &str = "x-permitted-cross-domain-policies";
const X_PERMITTED_CROSS_DOMAIN_POLICIES_DEFAULT: &str = "none";

#[cfg(test)]
mod tests {
    use std::{fs::read_to_string, path::Path};

    use super::*;

    #[test]
    fn headers_returns_headermap_with_expected_len() {
        let got = headers();
        assert_eq!(got.len(), 13);
    }

    #[test]
    fn headers_returns_headermap_with_expected_contents() {
        let got = headers();
        let got_text = format!("{:#?}", got);

        let fixture_path = Path::new("./fixtures/headers.txt");
        let fixture_data =
            read_to_string(fixture_path).expect("could not read fixtures/headers.txt");

        assert_eq!(got_text.trim(), fixture_data.trim());
    }
}