rust_webx_host/
security_headers.rs1use rust_webx_core::error::Result;
6use rust_webx_core::http::IHttpContext;
7use rust_webx_core::middleware::IMiddleware;
8use std::ops::ControlFlow;
9
10pub struct SecurityHeadersMiddleware;
12
13impl SecurityHeadersMiddleware {
14 pub fn new() -> Self {
16 Self
17 }
18}
19
20impl Default for SecurityHeadersMiddleware {
21 fn default() -> Self {
22 Self::new()
23 }
24}
25
26#[async_trait::async_trait]
27impl IMiddleware for SecurityHeadersMiddleware {
28 async fn invoke(&self, ctx: &mut dyn IHttpContext) -> Result<ControlFlow<()>> {
29 let resp = ctx.response_mut();
30
31 resp.set_header("x-content-type-options", "nosniff");
33
34 resp.set_header("x-frame-options", "DENY");
36
37 resp.set_header("strict-transport-security", "max-age=31536000; includeSubDomains");
39
40 resp.set_header("referrer-policy", "strict-origin-when-cross-origin");
42
43 resp.set_header(
45 "permissions-policy",
46 "camera=(), microphone=(), geolocation=()",
47 );
48
49 resp.set_header("cache-control", "no-store");
51
52 Ok(ControlFlow::Continue(()))
53 }
54}