Struct SecurityStack 

pub struct SecurityStack { /* private fields */ }

Composable security middleware stack for Axum.

Holds an optional configuration for each supported layer. Layers set to None are skipped in apply. Start from SecurityStack::default() for safe production defaults, or SecurityStack::new() for the same starting point and chain builder methods to customise or disable individual layers.

Layer application order

Layers are applied outermost-first in the following order, so each layer’s rejection response is still wrapped by the layers before it (e.g. security headers appear on rate-limit rejections):

helmet → redirect_https → ipfilter → ratelimit → body_limit → csrf → handler

Examples

use axum::{routing::get, Router};
use rune_axum_stack::SecurityStack;

// Five-layer default stack
let app: Router = SecurityStack::default().apply(
    Router::new().route("/api", get(|| async { "ok" })),
);

use axum::{routing::post, Router};
use rune_axum_stack::SecurityStack;

// REST API: no CSRF, no HTTPS redirect (TLS terminated upstream)
let app: Router = SecurityStack::new()
    .without_csrf()
    .without_redirect_https()
    .apply(Router::new().route("/api/data", post(|| async { "ok" })));

Implementations

impl SecurityStack

pub fn new() -> Self

Creates a SecurityStack with the same safe defaults as Default.

Examples

use axum::{routing::get, Router};
use rune_axum_stack::SecurityStack;

let app: Router = SecurityStack::new()
    .without_csrf()
    .apply(Router::new().route("/", get(|| async { "ok" })));

pub fn helmet(self, config: Helmet) -> Self

Replaces the HelmetLayer configuration.

pub fn without_helmet(self) -> Self

Removes the HelmetLayer from the stack.

pub fn csrf(self, config: CsrfConfig) -> Self

Replaces the CsrfLayer configuration.

pub fn without_csrf(self) -> Self

Removes the CsrfLayer from the stack.

Useful for stateless APIs that authenticate via bearer tokens or API keys where traditional CSRF protection is not applicable.

pub fn ratelimit(self, config: RateLimitConfig) -> Self

Replaces the RateLimitLayer configuration.

pub fn without_ratelimit(self) -> Self

Removes the RateLimitLayer from the stack.

pub fn ipfilter(self, config: IpFilterConfig) -> Self

Enables IP filtering with the given IpFilterConfig.

IP filtering is disabled by default; call this to opt in.

pub fn without_ipfilter(self) -> Self

Removes the IpFilterLayer from the stack (the default state).

pub fn redirect_https(self, config: RedirectHttps) -> Self

Replaces the RedirectHttpsLayer configuration.

pub fn without_redirect_https(self) -> Self

Removes the RedirectHttpsLayer from the stack.

Suitable when TLS is terminated by an upstream proxy that never forwards plain HTTP to the application.

pub fn body_limit(self, config: BodyLimit) -> Self

Replaces the BodyLimitLayer configuration.

pub fn without_body_limit(self) -> Self

Removes the BodyLimitLayer from the stack.

pub fn apply<S>(self, router: Router<S>) -> Router<S>

where S: Clone + Send + Sync + 'static,

Applies all enabled layers to router and returns the wrapped router.

Layers are composed outermost-first: helmet → redirect_https → ipfilter → ratelimit → body_limit → csrf → handler.

Examples

use axum::{routing::get, Router};
use rune_axum_stack::SecurityStack;

let app: Router = SecurityStack::default().apply(
    Router::new().route("/", get(|| async { "ok" })),
);

Trait Implementations

impl Clone for SecurityStack

fn clone(&self) -> SecurityStack

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for SecurityStack

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for SecurityStack

fn default() -> Self

Returns the “default value” for a type.