Crate helmet_core

Expand description

Helmet is a collection of HTTP headers that help secure your app by setting various HTTP headers.

helmet-core provides the core functionality of Helmet, vie convenient builders to configure the library.

The library can be adapted to different frameworks by wrapping the Helmet struct in a way that suits the framework. For reference implementations see the ntex-helmet crate or the axum-helmet crate.

It is based on the Helmet library for Node.js and is highly configurable.

§Usage

use helmet_core::{ContentSecurityPolicy, CrossOriginOpenerPolicy, Helmet};

let helmet = Helmet::new()
    .add(
        ContentSecurityPolicy::new()
            .child_src(vec!["'self'", "https://youtube.com"])
            .connect_src(vec!["'self'", "https://youtube.com"])
            .default_src(vec!["'self'", "https://youtube.com"])
            .font_src(vec!["'self'", "https://youtube.com"]),
    )
    .add(CrossOriginOpenerPolicy::same_origin_allow_popups());

By default Helmet will set the following headers:

Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.

§Configuration

By default if you construct a new instance of Helmet it will not set any headers.

The helmet-core crate helps you configure Helmet by providing convenient builders for each header.

Structs§

ContentSecurityPolicy: Manages Content-Security-Policy header
Helmet: Helmet security headers middleware for ntex services
OriginAgentCluster: Manages Origin-Agent-Cluster header
StrictTransportSecurity: Manages Strict-Transport-Security header
XPoweredBy: Manages X-Powered-By header
XXSSProtection: Manages X-XSS-Protection header

Enums§

ContentSecurityPolicyDirective: Manages Content-Security-Policy header
CrossOriginEmbedderPolicy: Manages Cross-Origin-Embedder-Policy header
CrossOriginOpenerPolicy: Manages Cross-Origin-Opener-Policy header
CrossOriginResourcePolicy: Manages Cross-Origin-Resource-Policy header
ReferrerPolicy: Manages Referrer-Policy header
XContentTypeOptions: Manages X-Content-Type-Options header
XDNSPrefetchControl: Manages X-DNS-Prefetch-Control header
XDownloadOptions: Manages X-Download-Options header
XFrameOptions: Manages X-Frame-Options header
XPermittedCrossDomainPolicies: Manages X-Permitted-Cross-Domain-Policies header

Type Aliases§

Header: Header trait