Crate helmet_core
source ·Expand description
Helmet is a collection of HTTP headers that help secure your app by setting various HTTP headers.
helmet-core
provides the core functionality of Helmet, vie convenient builders to configure the library.
The library can be adapted to different frameworks by wrapping the Helmet
struct in a way that suits the framework. For reference implementations see the ntex-helmet crate or the axum-helmet crate.
It is based on the Helmet library for Node.js and is highly configurable.
Usage
use helmet_core::{ContentSecurityPolicy, CrossOriginOpenerPolicy, Helmet};
let helmet = Helmet::new()
.add(
ContentSecurityPolicy::new()
.child_src(vec!["'self'", "https://youtube.com"])
.connect_src(vec!["'self'", "https://youtube.com"])
.default_src(vec!["'self'", "https://youtube.com"])
.font_src(vec!["'self'", "https://youtube.com"]),
)
.add(CrossOriginOpenerPolicy::same_origin_allow_popups());
By default Helmet will set the following headers:
Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0
This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.
Configuration
By default if you construct a new instance of Helmet
it will not set any headers.
The helmet-core
crate helps you configure Helmet by providing convenient builders for each header.
Structs
- Manages
Content-Security-Policy
header - Helmet security headers middleware for ntex services
- Manages
Origin-Agent-Cluster
header - Manages
Strict-Transport-Security
header - Manages
X-Powered-By
header - Manages
X-XSS-Protection
header
Enums
- Manages
Content-Security-Policy
header - Manages
Cross-Origin-Embedder-Policy
header - Manages
Cross-Origin-Opener-Policy
header - Manages
Cross-Origin-Resource-Policy
header - Manages
Referrer-Policy
header - Manages
X-Content-Type-Options
header - Manages
X-DNS-Prefetch-Control
header - Manages
X-Download-Options
header - Manages
X-Frame-Options
header - Manages
X-Permitted-Cross-Domain-Policies
header
Traits
- Header trait