Crate ntex_helmet

Expand description

`ntex-helmet`` is a collection of HTTP headers that help secure your ntex app by setting various HTTP headers.

`ntex_helmet::Helmet`` is a middleware that automatically sets these headers.

It is based on the Helmet library for Node.js and is highly configurable.

Usage

use ntex::web;
use ntex_helmet::Helmet;

#[ntex::main]
async fn main() -> std::io::Result<()> {
    web::HttpServer::new(move || {
        web::App::new()
           .wrap(Helmet::default())
           .service(web::resource("/").to(|| async { "Hello, world!" }))
    })
    .bind(("127.0.0.1", 8080))?
    .run()
    .await
}

By default Helmet will set the following headers:

Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0

This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.

Configuration

By default if you construct a new instance of Helmet it will not set any headers.

It is possible to configure Helmet to set only the headers you want, by using the add method to add headers.

use ntex::web;
use ntex_helmet::{ContentSecurityPolicy, CrossOriginOpenerPolicy, Helmet};

#[ntex::main]
async fn main() -> std::io::Result<()> {
    web::HttpServer::new(move || {
        web::App::new()
            .wrap(
                Helmet::new()
                    .add(
                        ContentSecurityPolicy::new()
                            .child_src(vec!["'self'", "https://youtube.com"])
                            .connect_src(vec!["'self'", "https://youtube.com"])
                            .default_src(vec!["'self'", "https://youtube.com"])
                            .font_src(vec!["'self'", "https://youtube.com"]),
                    )
                    .add(CrossOriginOpenerPolicy::same_origin_allow_popups()),
            )
            .service(web::resource("/").to(|| async { "Hello, world!" }))
    })
    .bind(("127.0.0.1", 4200))?
    .run()
    .await
}

Structs

ContentSecurityPolicy
Manages Content-Security-Policy header
Helmet
Helmet middleware
HelmetMiddleware
OriginAgentCluster
Manages Origin-Agent-Cluster header
StrictTransportSecurity
Manages Strict-Transport-Security header
XPoweredBy
Manages X-Powered-By header
XXSSProtection
Manages X-XSS-Protection header

Enums

ContentSecurityPolicyDirective
Manages Content-Security-Policy header
CrossOriginEmbedderPolicy
Manages Cross-Origin-Embedder-Policy header
CrossOriginOpenerPolicy
Manages Cross-Origin-Opener-Policy header
CrossOriginResourcePolicy
Manages Cross-Origin-Resource-Policy header
ReferrerPolicy
Manages Referrer-Policy header
XContentTypeOptions
Manages X-Content-Type-Options header
XDNSPrefetchControl
Manages X-DNS-Prefetch-Control header
XDownloadOptions
Manages X-Download-Options header
XFrameOptions
Manages X-Frame-Options header
XPermittedCrossDomainPolicies
Manages X-Permitted-Cross-Domain-Policies header

Traits

Header
Header trait