Expand description
Security headers middleware — HSTS / X-Frame-Options / nosniff /
Referrer-Policy / Permissions-Policy / CSP. See security_headers::SecurityHeadersLayer.
Security headers middleware — HSTS, X-Frame-Options, X-Content-Type-Options,
Referrer-Policy, Cross-Origin-Opener-Policy, and a Content-Security-Policy builder.
Django ships these by default via SecurityMiddleware. Rocket auto-attaches a
Shield fairing. This is rustango’s equivalent — must be explicitly added
to your router but presets cover the common cases.
§Quick start
ⓘ
use rustango::security_headers::{SecurityHeadersLayer, SecurityHeadersRouterExt};
let app = Router::new()
.route("/api/posts", get(list_posts))
.security_headers(SecurityHeadersLayer::strict());§Presets
- [
SecurityHeadersLayer::strict] — production: HSTS 1y + preload, XFO=DENY, nosniff, Referrer-Policy=no-referrer, COOP=same-origin, Permissions-Policy locked down - [
SecurityHeadersLayer::relaxed] — embeddable: HSTS 1y, XFO=SAMEORIGIN, nosniff, Referrer-Policy=strict-origin-when-cross-origin - [
SecurityHeadersLayer::dev] — local: nosniff only (HSTS would lock you to https forever)
§Custom CSP
ⓘ
let csp = CspBuilder::new()
.default_src(&["'self'"])
.script_src(&["'self'", "https://cdn.example.com"])
.style_src(&["'self'", "'unsafe-inline'"])
.img_src(&["'self'", "data:", "https:"])
.build();
let layer = SecurityHeadersLayer::strict().csp(csp);Structs§
- CspBuilder
- Builder for a Content-Security-Policy header value.
- Security
Headers Layer - Configuration for the security headers middleware.
Traits§
- Security
Headers Router Ext - Extension trait —
.security_headers(layer)on Router.
Functions§
- csp_
report_ router - Build a router exposing a CSP-violation report endpoint at
path(typically/__csp-report). The browser POSTs JSON reports here when a CSP directive is violated; this handler logs them viatracing::warn!so they show up in your normal log pipeline.