Crate rune_axum_stack

Expand description

All-in-one security middleware stack for Axum.

Composes up to six tower::Layers from the rune-axum-* family into a single SecurityStack::apply call: security headers, CSRF protection, rate limiting, IP filtering, HTTPS redirect, and body size limiting. Every layer is individually configurable or removable via builder methods.

Re-exports the configuration types from each component crate — you only need rune-axum-stack in [dependencies].

§Default stack

SecurityStack::default() enables five layers with safe defaults:

Layer	Default
`HelmetLayer`	Standard security headers (no HSTS/CSP — opt-in)
`RedirectHttpsLayer`	308 permanent redirect for HTTP requests
`RateLimitLayer`	100 requests per 60 s keyed by `X-Forwarded-For`
`BodyLimitLayer`	1 MiB `Content-Length` limit
`CsrfLayer`	Double-submit cookie on POST / PUT / PATCH / DELETE

IP filtering (IpFilterLayer) is not included by default — it requires explicit CIDR configuration via .ipfilter().

§Features

Six rune-axum-* layers composed into one SecurityStack::apply call.
Every layer is individually configurable or removable — use only what you need.
Outermost-first ordering: security headers wrap all rejection responses (rate-limit 429, CSRF 403, IP-filter 403, etc.).
Re-exports all config types — one crate in [dependencies] is enough.
Works with any Axum router state (Router<S>).

§Quick Start

use axum::{routing::get, Router};
use rune_axum_stack::SecurityStack;

let app: Router = SecurityStack::default().apply(
    Router::new().route("/", get(|| async { "ok" })),
);

§Custom Configuration

use std::time::Duration;
use axum::{routing::get, Router};
use rune_axum_stack::{
    FilterMode, Helmet, IpFilterConfig, RateLimitConfig, SecurityStack, XFrameOptions,
};

let app: Router = SecurityStack::new()
    .helmet(Helmet::new().frame_options(XFrameOptions::Deny))
    .ratelimit(RateLimitConfig::new().requests(200).window(Duration::from_secs(30)))
    .ipfilter(IpFilterConfig::new().mode(FilterMode::Blocklist).cidr("10.0.0.0/8"))
    .without_csrf()
    .apply(Router::new().route("/", get(|| async { "ok" })));

Structs§

BodyLimit: Configuration for the request body size limit middleware.
BodyLimitLayer: Tower Layer that rejects requests whose Content-Length exceeds the configured limit.
BodyLimitService: Tower Service produced by BodyLimitLayer.
CsrfConfig: Configuration for the CSRF protection middleware.
CsrfLayer: Tower Layer that implements the CSRF double-submit cookie pattern.
CsrfService: Tower Service produced by CsrfLayer.
Helmet: The set of security headers to apply to every response.
HelmetLayer: Tower Layer that injects security headers into every response.
Hsts: Configuration for the Strict-Transport-Security header.
IpFilterConfig: Configuration for the IP filter middleware.
IpFilterLayer: Tower Layer that applies CIDR-based IP allowlist or blocklist filtering.
IpFilterService: Tower Service produced by IpFilterLayer.
RateLimitConfig: Configuration for the rate limiter middleware.
RateLimitLayer: Tower Layer that applies fixed-window rate limiting per client.
RateLimitService: Tower Service produced by RateLimitLayer.
RedirectHttps: Configuration for the HTTP-to-HTTPS redirect middleware.
RedirectHttpsLayer: Tower Layer that redirects HTTP requests to HTTPS.
SecurityStack: Composable security middleware stack for Axum.

Enums§

CrossOriginEmbedderPolicy: Value for the Cross-Origin-Embedder-Policy header.
CrossOriginOpenerPolicy: Value for the Cross-Origin-Opener-Policy header.
CrossOriginResourcePolicy: Value for the Cross-Origin-Resource-Policy header.
FilterMode: Whether the CIDR list is an allowlist or a blocklist.
IpSource: Determines how the client IP is extracted from the request.
KeyExtractor: Determines how a per-client key is extracted from the request.
ReferrerPolicy: Value for the Referrer-Policy header.
XFrameOptions: Value for the X-Frame-Options header.