Skip to main content

rust_web_server/header/
mod.rs

1use crate::client_hint::ClientHint;
2use crate::cors::Cors;
3use crate::ext::date_time_ext::DateTimeExt;
4use crate::ext::string_ext::StringExt;
5use crate::range::Range;
6use crate::request::Request;
7use crate::symbol::SYMBOL;
8
9#[cfg(test)]
10mod tests;
11
12pub mod content_disposition;
13
14#[cfg(test)]
15mod example;
16
17/// An HTTP header name/value pair.
18///
19/// Use the associated string constants (e.g. [`Header::_CONTENT_TYPE`]) for header names.
20/// [`Header::get_header_list`] returns the standard set of response headers (client hints,
21/// CORS, cache control, security headers) that should be included on every response.
22#[derive(PartialEq, Eq, Clone, Debug)]
23pub struct Header {
24    /// Header name, e.g. `"Content-Type"`.
25    pub name: String,
26    /// Header value, e.g. `"application/json"`.
27    pub value: String,
28}
29
30impl Header {
31
32    pub fn as_string(&self) -> String {
33        let formatted = format!("{}: {}", self.name, self.value);
34        formatted
35    }
36
37    pub const _ACCESS_CONTROL_REQUEST_METHOD: &'static str = "Access-Control-Request-Method";
38    pub const _ACCESS_CONTROL_REQUEST_HEADERS: &'static str = "Access-Control-Request-Headers";
39    pub const _ACCESS_CONTROL_ALLOW_ORIGIN: &'static str = "Access-Control-Allow-Origin";
40    pub const _ACCESS_CONTROL_ALLOW_METHODS: &'static str = "Access-Control-Allow-Methods";
41    pub const _ACCESS_CONTROL_ALLOW_HEADERS: &'static str = "Access-Control-Allow-Headers";
42    pub const _ACCESS_CONTROL_ALLOW_CREDENTIALS: &'static str = "Access-Control-Allow-Credentials";
43    pub const _ACCESS_CONTROL_MAX_AGE: &'static str = "Access-Control-Max-Age";
44    pub const _ACCESS_CONTROL_EXPOSE_HEADERS: &'static str = "Access-Control-Expose-Headers";
45
46    pub const _ACCEPT: &'static str = "Accept";
47    pub const _ACCEPT_RANGES: &'static str = "Accept-Ranges";
48    pub const _ACCEPT_CH: &'static str = "Accept-CH";
49    pub const _ACCEPT_ENCODING: &'static str = "Accept-Encoding";
50    pub const _ACCEPT_LANGUAGE: &'static str = "Accept-Language";
51    pub const _ACCEPT_PATCH: &'static str = "Accept-Patch";
52    pub const _ACCEPT_POST: &'static str = "Accept-Post";
53    pub const _AGE: &'static str = "Age";
54    pub const _ALLOW: &'static str = "Allow";
55    pub const _ALT_SVC: &'static str = "Alt-Svc";
56    pub const _AUTHORIZATION: &'static str = "Authorization";
57    pub const _CACHE_CONTROL: &'static str = "Cache-Control";
58    pub const _CONNECTION: &'static str = "Connection";
59    pub const _CLEAR_SITE_DATA: &'static str = "Clear-Site-Data";
60    pub const _CONTENT_TYPE: &'static str = "Content-Type";
61    pub const _CONTENT_LENGTH: &'static str = "Content-Length";
62    pub const _CONTENT_RANGE: &'static str = "Content-Range";
63    pub const _CONTENT_DISPOSITION: &'static str = "Content-Disposition";
64    pub const _CONTENT_ENCODING: &'static str = "Content-Encoding";
65    pub const _CONTENT_LANGUAGE: &'static str = "Content-Language";
66    pub const _CONTENT_LOCATION: &'static str = "Content-Location";
67    pub const _CONTENT_SECURITY_POLICY: &'static str = "Content-Security-Policy";
68    pub const _CONTENT_SECURITY_POLICY_REPORT_ONLY: &'static str = "Content-Security-Policy-Report-Only";
69    pub const _COOKIE: &'static str = "Cookie";
70    pub const _CROSS_ORIGIN_EMBEDDER_POLICY: &'static str = "Cross-Origin-Embedder-Policy";
71    pub const _CROSS_ORIGIN_OPENER_POLICY: &'static str = "Cross-Origin-Opener-Policy";
72    pub const _CROSS_ORIGIN_RESOURCE_POLICY: &'static str = "Cross-Origin-Resource-Policy";
73    pub const _DATE: &'static str = "Date";
74    pub const _DATE_UNIX_EPOCH_NANOS: &'static str = "Date-Unix-Epoch-Nanos";
75    pub const _DEVICE_MEMORY: &'static str = "Device-Memory";
76    pub const _DIGEST: &'static str = "Digest";
77    pub const _DOWNLINK: &'static str = "Downlink";
78    pub const _EARLY_DATA: &'static str = "Early-Data";
79    pub const _ECT: &'static str = "ECT";
80    pub const _ETAG: &'static str = "ETag";
81    pub const _EXPECT: &'static str = "Expect";
82    pub const _EXPIRES: &'static str = "Expires";
83    pub const _FEATURE_POLICY: &'static str = "Feature-Policy";
84    pub const _PERMISSIONS_POLICY: &'static str = "Permissions-Policy";
85    pub const _FORWARDED: &'static str = "Forwarded";
86    pub const _FROM: &'static str = "From";
87    pub const _HOST: &'static str = "Host";
88    pub const _IF_MATCH: &'static str = "If-Match";
89    pub const _IF_MODIFIED_SINCE: &'static str = "If-Modified-Since";
90    pub const _IF_NONE_MATCH: &'static str = "If-None-Match";
91    pub const _IF_RANGE: &'static str = "If-Range";
92    pub const _IF_UNMODIFIED_SINCE: &'static str = "If-Unmodified-Since";
93    pub const _LAST_MODIFIED: &'static str = "Last-Modified";
94    pub const _LAST_MODIFIED_UNIX_EPOCH_NANOS: &'static str = "Last-Modified-Unix-Epoch-Nanos";
95    pub const _LINK: &'static str = "Link";
96    pub const _LOCATION: &'static str = "Location";
97    pub const _MAX_FORWARDS: &'static str = "Max-Forwards";
98    pub const _NEL: &'static str = "NEL";
99    pub const _ORIGIN: &'static str = "Origin";
100    pub const _PROXY_AUTHENTICATE: &'static str = "Proxy-Authenticate";
101    pub const _PROXY_AUTHORIZATION: &'static str = "Proxy-Authorization";
102    pub const _RANGE: &'static str = "Range";
103    pub const _REFERER: &'static str = "Referer";
104    pub const _REFERRER_POLICY: &'static str = "Referrer-Policy";
105    pub const _RETRY_AFTER: &'static str = "Retry-After";
106    pub const _RTT: &'static str = "RTT";
107    pub const _SAVE_DATA: &'static str = "Save-Data";
108    pub const _SEC_CH_UA: &'static str = "Sec-CH-UA";
109    pub const _SEC_CH_UA_ARCH: &'static str = "Sec-CH-UA-Arch";
110    pub const _SEC_CH_UA_BITNESS: &'static str = "Sec-CH-UA-Bitness";
111    pub const _SEC_CH_UA_FULL_VERSION_LIST: &'static str = "Sec-CH-UA-Full-Version-List";
112    pub const _SEC_CH_UA_MOBILE: &'static str = "Sec-CH-UA-Mobile";
113    pub const _SEC_CH_UA_MODEL: &'static str = "Sec-CH-UA-Model";
114    pub const _SEC_CH_UA_PLATFORM: &'static str = "Sec-CH-UA-Platform";
115    pub const _SEC_CH_UA_PLATFORM_VERSION: &'static str = "Sec-CH-UA-Platform-Version";
116    pub const _SEC_FETCH_DEST: &'static str = "Sec-Fetch-Dest";
117    pub const _SEC_FETCH_MODE: &'static str = "Sec-Fetch-Mode";
118    pub const _SEC_FETCH_SITE: &'static str = "Sec-Fetch-Site";
119    pub const _SEC_FETCH_USER: &'static str = "Sec-Fetch-User";
120    pub const _SEC_GPC: &'static str = "Sec-GPC";
121    pub const _SERVER: &'static str = "Server";
122    pub const _SERVER_TIMING: &'static str = "Server-Timing";
123    pub const _SERVICE_WORKER_NAVIGATION_PRELOAD: &'static str = "Service-Worker-Navigation-Preload";
124    pub const _SET_COOKIE: &'static str = "Set-Cookie";
125    pub const _SOURCE_MAP: &'static str = "SourceMap";
126    pub const _STRICT_TRANSPORT_SECURITY: &'static str = "Strict-Transport-Security";
127    pub const _TE: &'static str = "TE";
128    pub const _TIMING_ALLOW_ORIGIN: &'static str = "Timing-Allow-Origin";
129    pub const _TRAILER: &'static str = "Trailer";
130    pub const _TRANSFER_ENCODING: &'static str = "Transfer-Encoding";
131    pub const _UPGRADE: &'static str = "Upgrade";
132    pub const _UPGRADE_INSECURE_REQUESTS: &'static str = "Upgrade-Insecure-Requests";
133    pub const _USER_AGENT: &'static str = "User-Agent";
134    pub const _VARY: &'static str = "Vary";
135    pub const _VIA: &'static str = "Via";
136    pub const _WANT_DIGEST: &'static str = "Want-Digest";
137    pub const _WWW_AUTHENTICATE: &'static str = "WWW-Authenticate";
138    pub const _X_CONTENT_TYPE_OPTIONS: &'static str = "X-Content-Type-Options";
139    pub const _X_CONTENT_TYPE_OPTIONS_VALUE_NOSNIFF: &'static str = "nosniff";
140    pub const _X_FRAME_OPTIONS: &'static str = "X-Frame-Options";
141    pub const _X_FRAME_OPTIONS_VALUE_DENY: &'static str = "DENY";
142    pub const _X_FRAME_OPTIONS_VALUE_SAME_ORIGIN: &'static str = "SAMEORIGIN";
143
144    pub const _STRICT_TRANSPORT_SECURITY_VALUE_DEFAULT: &'static str = "max-age=31536000; includeSubDomains";
145    pub const _REFERRER_POLICY_VALUE_DEFAULT: &'static str = "strict-origin-when-cross-origin";
146    pub const _PERMISSIONS_POLICY_VALUE_DEFAULT: &'static str = "geolocation=(), microphone=(), camera=()";
147    pub const _CONTENT_SECURITY_POLICY_VALUE_DEFAULT: &'static str = "default-src 'self'";
148
149
150
151
152    pub const NAME_VALUE_SEPARATOR: &'static str = ": ";
153
154    pub const _DO_NOT_STORE_CACHE: &'static str = "no-store, no-cache, private, max-age=0, must-revalidate, proxy-revalidate";
155
156
157
158    /// Build the standard response header list using settings from
159    /// [`ServerConfig`].
160    ///
161    /// Prefer this method inside [`App::execute`] and any call-site that has
162    /// an `App`-level config available. It avoids reading environment variables
163    /// at request time, which enables proper test isolation via
164    /// [`App::with_config`].
165    pub fn get_header_list_with_config(
166        request: &Request,
167        config: &crate::server_config::ServerConfig,
168    ) -> Vec<Header> {
169        let cors_vary = Cors::get_vary_header_value();
170        let mut vary_value = vec![cors_vary];
171
172        let mut header_list = Cors::get_headers_from_config(request, config);
173
174        let client_hint_header = ClientHint::get_accept_client_hints_header();
175        header_list.push(client_hint_header);
176
177        let critical_client_hint_header = ClientHint::get_critical_client_hints_header();
178        header_list.push(critical_client_hint_header);
179
180        let client_hint_vary = ClientHint::get_vary_header_value();
181        vary_value.push(client_hint_vary);
182
183        header_list.push(Header {
184            name: Header::_VARY.to_string(),
185            value: vary_value.join(", "),
186        });
187
188        header_list.push(Header::get_x_content_type_options_header());
189        header_list.push(Header::get_accept_ranges_header());
190        header_list.push(Header::get_x_frame_options_header());
191        header_list.push(Header::get_date_iso_8601_header());
192        header_list.push(Header::get_no_cache_header());
193
194        header_list.push(Header {
195            name: Header::_REFERRER_POLICY.to_string(),
196            value: Header::_REFERRER_POLICY_VALUE_DEFAULT.to_string(),
197        });
198        header_list.push(Header {
199            name: Header::_PERMISSIONS_POLICY.to_string(),
200            value: Header::_PERMISSIONS_POLICY_VALUE_DEFAULT.to_string(),
201        });
202
203        if !config.csp.is_empty() {
204            header_list.push(Header {
205                name: Header::_CONTENT_SECURITY_POLICY.to_string(),
206                value: config.csp.clone(),
207            });
208        }
209
210        header_list
211    }
212
213    /// Build the standard response header list, reading CORS and CSP settings
214    /// from environment variables.
215    ///
216    /// This is the legacy entry point retained for call-sites that do not yet
217    /// have access to a [`ServerConfig`] (e.g. error helpers in
218    /// `src/extract/mod.rs`). For all call-sites inside [`App::execute`] use
219    /// [`get_header_list_with_config`] instead.
220    pub fn get_header_list(request: &Request) -> Vec<Header> {
221        Self::get_header_list_with_config(request, &crate::server_config::ServerConfig::from_env())
222    }
223
224
225    pub fn get_x_content_type_options_header() -> Header {
226        Header {
227            name: Header::_X_CONTENT_TYPE_OPTIONS.to_string(),
228            value: Header::_X_CONTENT_TYPE_OPTIONS_VALUE_NOSNIFF.to_string(),
229        }
230    }
231
232    pub fn get_accept_ranges_header() -> Header {
233        Header {
234            name: Header::_ACCEPT_RANGES.to_string(),
235            value: Range::BYTES.to_string(),
236        }
237    }
238
239    pub fn get_x_frame_options_header() -> Header {
240        Header {
241            name: Header::_X_FRAME_OPTIONS.to_string(),
242            value: Header::_X_FRAME_OPTIONS_VALUE_SAME_ORIGIN.to_string(),
243        }
244    }
245
246    pub fn get_date_iso_8601_header() -> Header {
247        Header {
248            name: Header::_DATE_UNIX_EPOCH_NANOS.to_string(),
249            value: DateTimeExt::_now_unix_epoch_nanos().to_string(),
250        }
251    }
252
253    pub fn get_no_cache_header() -> Header {
254        Header {
255            name: Header::_CACHE_CONTROL.to_string(),
256            value: Header::_DO_NOT_STORE_CACHE.to_string(),
257        }
258    }
259
260    pub fn get_hsts_header() -> Header {
261        Header {
262            name: Header::_STRICT_TRANSPORT_SECURITY.to_string(),
263            value: Header::_STRICT_TRANSPORT_SECURITY_VALUE_DEFAULT.to_string(),
264        }
265    }
266
267    pub fn parse_header(raw_header: &str) -> Result<Header, String> {
268        let escaped_header = StringExt::filter_ascii_control_characters(raw_header);
269        let escaped_header = StringExt::truncate_new_line_carriage_return(&escaped_header);
270
271        let boxed_split = escaped_header.split_once(SYMBOL.colon);
272        if boxed_split.is_none() {
273            let message = format!("Unable to parse header: {}", escaped_header);
274            return Err(message)
275        }
276
277        let (name, value) = boxed_split.unwrap();
278
279        let header = Header {
280            name: name.trim().to_string(),
281            value: value.trim().to_string(),
282        };
283
284        Ok(header)
285    }
286
287    pub fn parse(raw_header: &str) -> Result<Header, String> {
288        Header::parse_header(raw_header)
289    }
290
291    pub fn generate(&self) -> String {
292        self.as_string()
293    }
294
295}
296