Enum rocket_contrib::helmet::Hsts

pub enum Hsts {
    Enable(Duration),
    IncludeSubDomains(Duration),
    Preload(Duration),
}

The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.

HSTS tells the browser that the site should only be accessed using HTTPS instead of HTTP. HSTS prevents a variety of downgrading attacks and should always be used when TLS is enabled. SpaceHelmet will turn HSTS on and issue a warning if you enable TLS without enabling HSTS when the application is run in the staging or production environments.

While HSTS is important for HTTPS security, incorrectly configured HSTS can lead to problems as you are disallowing access to non-HTTPS enabled parts of your site. Yelp engineering has good discussion of potential challenges that can arise and how to roll this out in a large scale setting. So, if you use TLS, use HSTS, but roll it out with care.

Variants

Enable(Duration)

Browser should only permit this site to be accesses by HTTPS for the next Duration.

IncludeSubDomains(Duration)

Like Hsts::Enable, but also apply to all of the site's subdomains.

Preload(Duration)

Google maintains an HSTS preload service that can be used to prevent the browser from ever connecting to your site over an insecure connection. Read more here. Don't enable this before you have registered your site.

Trait Implementations

impl Policy for Hsts

const NAME: &'static str

The actual name of the HTTP header.

fn header(&self) -> Header<'static>

Returns the Header to attach to all outgoing responses.

impl<'a> Into<Header<'static>> for &'a Hsts

fn into(self) -> Header<'static>

Performs the conversion.

impl Default for Hsts

Defaults to Hsts::Enable(Duration::weeks(52)).

fn default() -> Hsts

Returns the "default value" for a type.