Module security 

Security utilities covering HTTPS enforcement, domain allowlists, and SPKI pinning.

Threat Model

These helpers assume upstream TLS validation has already succeeded and focus on defending the cache pipeline against downgrade attempts (HTTP redirects), host header confusion, and certificate substitution by validating SPKI fingerprints.

Structs

SpkiFingerprint

SHA-256 fingerprint of a Subject Public Key Info (SPKI) structure.

Functions

canonicalize_dns_name

Canonicalise a DNS name by trimming whitespace, removing any trailing dot, and lowercasing.

deserialize_allowed_domains

serde helper to normalise allowlist domains during deserialisation.

enforce_https

Ensure the provided URL uses HTTPS.

fingerprint_spki

Compute the SHA-256 fingerprint of a DER-encoded SPKI payload.

host_is_allowed

Evaluate whether the given hostname is allowed by the provided suffix allowlist.

normalize_allowlist

Normalise an allowlist by canonicalising entries and removing duplicates/empties.

verify_spki_pins

Validate that at least one configured SPKI fingerprint matches the presented SPKI set.