Expand description
salvo-helmet is a security middleware for the Salvo web framework that sets various HTTP headers to help protect your app.
salvo_helmet::Helmet is a handler that automatically sets security headers on all responses.
It is based on the Helmet library for Node.js and is highly configurable.
§Usage
use salvo::prelude::*;
use salvo_helmet::{Helmet, HelmetHandler};
#[handler]
async fn index() -> &'static str {
"Hello, world!"
}
#[tokio::main]
async fn main() {
let handler: HelmetHandler = Helmet::default().try_into().unwrap();
let router = Router::with_hoop(handler).get(index);
let acceptor = TcpListener::new("0.0.0.0:3000").bind().await;
Server::new(acceptor).serve(router).await;
}By default Helmet will set the following headers:
Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.
§Configuration
By default if you construct a new instance of Helmet it will not set any headers.
It is possible to configure Helmet to set only the headers you want, by using the add method.
use salvo::prelude::*;
use salvo_helmet::{Helmet, HelmetHandler, ContentSecurityPolicy, CrossOriginOpenerPolicy};
#[handler]
async fn index() -> &'static str {
"Hello, world!"
}
#[tokio::main]
async fn main() {
let handler: HelmetHandler = Helmet::new()
.add(
ContentSecurityPolicy::new()
.default_src(vec!["'self'"])
.script_src(vec!["'self'", "https://cdn.example.com"]),
)
.add(CrossOriginOpenerPolicy::same_origin_allow_popups())
.try_into()
.unwrap();
let router = Router::with_hoop(handler).get(index);
let acceptor = TcpListener::new("0.0.0.0:3000").bind().await;
Server::new(acceptor).serve(router).await;
}Structs§
- Content
Security Policy - Manages
Content-Security-Policyheader - Helmet
- Helmet header configuration wrapper.
- Helmet
Handler - The Salvo handler created by converting a
Helmetconfiguration. - Origin
Agent Cluster - Manages
Origin-Agent-Clusterheader - Strict
Transport Security - Manages
Strict-Transport-Securityheader - XPowered
By - Manages
X-Powered-Byheader - XXSS
Protection - Manages
X-XSS-Protectionheader
Enums§
- Cross
Origin Embedder Policy - Manages
Cross-Origin-Embedder-Policyheader - Cross
Origin Opener Policy - Manages
Cross-Origin-Opener-Policyheader - Cross
Origin Resource Policy - Manages
Cross-Origin-Resource-Policyheader - Helmet
Error - Error returned when a header name or value cannot be converted to a valid HTTP header.
- Referrer
Policy - Manages
Referrer-Policyheader - XContent
Type Options - Manages
X-Content-Type-Optionsheader - XDNS
Prefetch Control - Manages
X-DNS-Prefetch-Controlheader - XDownload
Options - Manages
X-Download-Optionsheader - XFrame
Options - Manages
X-Frame-Optionsheader - XPermitted
Cross Domain Policies - Manages
X-Permitted-Cross-Domain-Policiesheader
Type Aliases§
- Header
- Header trait