Crate helmet_core

source ·
Expand description

Helmet is a collection of HTTP headers that help secure your app by setting various HTTP headers.

helmet-core provides the core functionality of Helmet, vie convenient builders to configure the library.

The library can be adapted to different frameworks by wrapping the Helmet struct in a way that suits the framework. For reference implementations see the ntex-helmet crate or the axum-helmet crate.

It is based on the Helmet library for Node.js and is highly configurable.

Usage

use helmet_core::{ContentSecurityPolicy, CrossOriginOpenerPolicy, Helmet};

let helmet = Helmet::new()
    .add(
        ContentSecurityPolicy::new()
            .child_src(vec!["'self'", "https://youtube.com"])
            .connect_src(vec!["'self'", "https://youtube.com"])
            .default_src(vec!["'self'", "https://youtube.com"])
            .font_src(vec!["'self'", "https://youtube.com"]),
    )
    .add(CrossOriginOpenerPolicy::same_origin_allow_popups());

By default Helmet will set the following headers:

Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.

Configuration

By default if you construct a new instance of Helmet it will not set any headers.

The helmet-core crate helps you configure Helmet by providing convenient builders for each header.

Structs

Enums

Traits