[][src]Module rocket_contrib::helmet

Security and privacy headers for all outgoing responses.

SpaceHelmet provides a typed interface for HTTP security headers. It takes some inspiration from helmetjs, a similar piece of middleware for express.

Supported Headers

HTTP Header Description Policy Default?
X-XSS-Protection Prevents some reflected XSS attacks. XssFilter
X-Content-Type-Options Prevents client sniffing of MIME type. NoSniff
X-Frame-Options Prevents clickjacking. Frame
Strict-Transport-Security Enforces strict use of HTTPS. Hsts ?
Expect-CT Enables certificate transparency. ExpectCt
Referrer-Policy Enables referrer policy. Referrer

? If TLS is enabled when the application is launched, in a non-development environment (e.g., staging or production), HSTS is automatically enabled with its default policy and a warning is issued.


To apply default headers, simply attach an instance of SpaceHelmet before launching:

use rocket_contrib::helmet::SpaceHelmet;

let rocket = rocket::ignite().attach(SpaceHelmet::default());

Each header can be configured individually. To enable a particular header, call the chainable enable() method on an instance of SpaceHelmet, passing in the configured policy type. Similarly, to disable a header, call the chainable disable() method on an instance of SpaceHelmet:

use rocket::http::uri::Uri;
use rocket_contrib::helmet::{SpaceHelmet, Frame, XssFilter, Hsts, NoSniff};

let site_uri = Uri::parse("https://mysite.example.com").unwrap();
let report_uri = Uri::parse("https://report.example.com").unwrap();
let helmet = SpaceHelmet::default()


  • Which policies should I choose?

    See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.

  • Do I need any headers beyond what SpaceHelmet enables by default?

    Maybe! The other headers can protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.



A Fairing that adds HTTP headers to outgoing responses that control security features on the browser.



The Expect-CT header: enables Certificate Transparency to detect and prevent misuse of TLS certificates.


The X-Frame-Options header: helps prevent clickjacking attacks.


The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.


The X-Content-Type-Options header: turns off mime sniffing which can prevent certain attacks.


The Referrer-Policy header: controls the value set by the browser for the Referer header.


The X-XSS-Protection header: filters some forms of reflected XSS attacks.



Trait implemented by security and privacy policy headers.