Crate helmet_core

Helmet is a collection of HTTP headers that help secure your app by setting various HTTP headers.

helmet-core provides the core functionality of Helmet, vie convenient builders to configure the library.

The library can be adapted to different frameworks by wrapping the Helmet struct in a way that suits the framework. For reference implementations see the ntex-helmet crate or the axum-helmet crate.

It is based on the Helmet library for Node.js and is highly configurable.

Usage

use helmet_core::{ContentSecurityPolicy, CrossOriginOpenerPolicy, Helmet};

let helmet = Helmet::new()
    .add(
        ContentSecurityPolicy::new()
            .child_src(vec!["'self'", "https://youtube.com"])
            .connect_src(vec!["'self'", "https://youtube.com"])
            .default_src(vec!["'self'", "https://youtube.com"])
            .font_src(vec!["'self'", "https://youtube.com"]),
    )
    .add(CrossOriginOpenerPolicy::same_origin_allow_popups());

By default Helmet will set the following headers:

Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.

Configuration

By default if you construct a new instance of Helmet it will not set any headers.

The helmet-core crate helps you configure Helmet by providing convenient builders for each header.

Structs

• ContentSecurityPolicy
  Manages Content-Security-Policy header
• Helmet
  Helmet security headers middleware for ntex services
• OriginAgentCluster
  Manages Origin-Agent-Cluster header
• StrictTransportSecurity
  Manages Strict-Transport-Security header
• XPoweredBy
  Manages X-Powered-By header
• XXSSProtection
  Manages X-XSS-Protection header

Enums

• ContentSecurityPolicyDirective
  Manages Content-Security-Policy header
• CrossOriginEmbedderPolicy
  Manages Cross-Origin-Embedder-Policy header
• CrossOriginOpenerPolicy
  Manages Cross-Origin-Opener-Policy header
• CrossOriginResourcePolicy
  Manages Cross-Origin-Resource-Policy header
• ReferrerPolicy
  Manages Referrer-Policy header
• XContentTypeOptions
  Manages X-Content-Type-Options header
• XDNSPrefetchControl
  Manages X-DNS-Prefetch-Control header
• XDownloadOptions
  Manages X-Download-Options header
• XFrameOptions
  Manages X-Frame-Options header
• XPermittedCrossDomainPolicies
  Manages X-Permitted-Cross-Domain-Policies header

Traits

• Header
  Header trait