Expand description
`ntex-helmet`` is a collection of HTTP headers that help secure your ntex app by setting various HTTP headers.
`ntex_helmet::Helmet`` is a middleware that automatically sets these headers.
It is based on the Helmet library for Node.js and is highly configurable.
§Usage
use ntex::web;
use ntex_helmet::Helmet;
#[ntex::main]
async fn main() -> std::io::Result<()> {
web::HttpServer::new(move || {
web::App::new()
.wrap(Helmet::default())
.service(web::resource("/").to(|| async { "Hello, world!" }))
})
.bind(("127.0.0.1", 8080))?
.run()
.await
}By default Helmet will set the following headers:
Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.
§Configuration
By default if you construct a new instance of Helmet it will not set any headers.
It is possible to configure Helmet to set only the headers you want, by using the add method to add headers.
use ntex::web;
use ntex_helmet::{ContentSecurityPolicy, CrossOriginOpenerPolicy, Helmet};
#[ntex::main]
async fn main() -> std::io::Result<()> {
web::HttpServer::new(move || {
web::App::new()
.wrap(
Helmet::new()
.add(
ContentSecurityPolicy::new()
.child_src(vec!["'self'", "https://youtube.com"])
.connect_src(vec!["'self'", "https://youtube.com"])
.default_src(vec!["'self'", "https://youtube.com"])
.font_src(vec!["'self'", "https://youtube.com"]),
)
.add(CrossOriginOpenerPolicy::same_origin_allow_popups()),
)
.service(web::resource("/").to(|| async { "Hello, world!" }))
})
.bind(("127.0.0.1", 4200))?
.run()
.await
}Structs§
- Content
Security Policy - Manages
Content-Security-Policyheader - Helmet
- Helmet middleware
- Helmet
Middleware - Origin
Agent Cluster - Manages
Origin-Agent-Clusterheader - Strict
Transport Security - Manages
Strict-Transport-Securityheader - XPowered
By - Manages
X-Powered-Byheader - XXSS
Protection - Manages
X-XSS-Protectionheader
Enums§
- Content
Security Policy Directive - Manages
Content-Security-Policyheader - Cross
Origin Embedder Policy - Manages
Cross-Origin-Embedder-Policyheader - Cross
Origin Opener Policy - Manages
Cross-Origin-Opener-Policyheader - Cross
Origin Resource Policy - Manages
Cross-Origin-Resource-Policyheader - Referrer
Policy - Manages
Referrer-Policyheader - XContent
Type Options - Manages
X-Content-Type-Optionsheader - XDNS
Prefetch Control - Manages
X-DNS-Prefetch-Controlheader - XDownload
Options - Manages
X-Download-Optionsheader - XFrame
Options - Manages
X-Frame-Optionsheader - XPermitted
Cross Domain Policies - Manages
X-Permitted-Cross-Domain-Policiesheader
Type Aliases§
- Header
- Header trait