Skip to main content

TraceRejectionMiddleware

fastapi_core::middleware

Struct TraceRejectionMiddleware 

Source 
pub struct TraceRejectionMiddleware { /* private fields */ }
Expand description

Middleware that rejects HTTP TRACE requests to prevent Cross-Site Tracing (XST) attacks.

The HTTP TRACE method echoes the request back to the client, which can be exploited in XSS attacks to steal sensitive headers like Authorization or cookies.

§Security Rationale

  • TRACE can expose Authorization headers via XSS attacks
  • No legitimate use case in modern APIs
  • OWASP recommends disabling TRACE

§Example

use fastapi_core::middleware::TraceRejectionMiddleware;

let app = App::builder()
    .middleware(TraceRejectionMiddleware::new())
    .build();

§Behavior

  • Returns 405 Method Not Allowed for all TRACE requests
  • Logs TRACE attempts as security events (when log_attempts is true)
  • Cannot be disabled per-route (intentionally)

Implementations§

Source§

impl TraceRejectionMiddleware

Source

pub fn new() -> Self

Create a new TRACE rejection middleware with default settings.

By default, logging of TRACE attempts is enabled.

Source

pub fn log_attempts(self, log: bool) -> Self

Configure whether to log TRACE attempts.

When enabled, each TRACE request is logged as a security event including the remote IP (if available) and request path.

Trait Implementations§

Source§

impl Clone for TraceRejectionMiddleware

Source§

fn clone(&self) -> TraceRejectionMiddleware

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for TraceRejectionMiddleware

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for TraceRejectionMiddleware

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl Middleware for TraceRejectionMiddleware

Source§

fn before<'a>( &'a self, _ctx: &'a RequestContext, req: &'a mut Request, ) -> BoxFuture<'a, ControlFlow>

Called before the handler executes. Read more
Source§

fn name(&self) -> &'static str

Returns the middleware name for debugging and logging. Read more
Source§

fn after<'a>( &'a self, _ctx: &'a RequestContext, _req: &'a Request, response: Response, ) -> BoxFuture<'a, Response>

Called after the handler executes. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, _span: NoopSpan) -> Self

Instruments this future with a span (no-op when disabled).
Source§

fn in_current_span(self) -> Self

Instruments this future with the current span (no-op when disabled).
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ResponseProduces<T> for T