Expand description
tide-helmet is a security middleware for the Tide web framework that sets various HTTP headers to help protect your app.
tide_helmet::Helmet is a middleware that automatically sets security headers on all responses.
It is based on the Helmet library for Node.js and is highly configurable.
§Usage
use tide_helmet::Helmet;
#[async_std::main]
async fn main() -> tide::Result<()> {
let mut app = tide::new();
app.with(Helmet::default());
app.at("/").get(|_| async { Ok("Hello, world!") });
app.listen("0.0.0.0:3000").await?;
Ok(())
}By default Helmet will set the following headers:
Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.
§Configuration
By default if you construct a new instance of Helmet it will not set any headers.
It is possible to configure Helmet to set only the headers you want, by using the add method to add headers.
use tide_helmet::{Helmet, ContentSecurityPolicy, CrossOriginOpenerPolicy};
#[async_std::main]
async fn main() -> tide::Result<()> {
let mut app = tide::new();
app.with(
Helmet::new()
.add(
ContentSecurityPolicy::new()
.default_src(vec!["'self'"])
.script_src(vec!["'self'", "https://cdn.example.com"]),
)
.add(CrossOriginOpenerPolicy::same_origin_allow_popups()),
);
app.at("/").get(|_| async { Ok("Hello, world!") });
app.listen("0.0.0.0:3000").await?;
Ok(())
}Structs§
- Content
Security Policy - Manages
Content-Security-Policyheader - Helmet
- Helmet middleware for Tide.
- Origin
Agent Cluster - Manages
Origin-Agent-Clusterheader - Strict
Transport Security - Manages
Strict-Transport-Securityheader - XPowered
By - Manages
X-Powered-Byheader - XXSS
Protection - Manages
X-XSS-Protectionheader
Enums§
- Cross
Origin Embedder Policy - Manages
Cross-Origin-Embedder-Policyheader - Cross
Origin Opener Policy - Manages
Cross-Origin-Opener-Policyheader - Cross
Origin Resource Policy - Manages
Cross-Origin-Resource-Policyheader - Helmet
Error - Error returned when a header name or value cannot be converted to a valid HTTP header.
- Referrer
Policy - Manages
Referrer-Policyheader - XContent
Type Options - Manages
X-Content-Type-Optionsheader - XDNS
Prefetch Control - Manages
X-DNS-Prefetch-Controlheader - XDownload
Options - Manages
X-Download-Optionsheader - XFrame
Options - Manages
X-Frame-Optionsheader - XPermitted
Cross Domain Policies - Manages
X-Permitted-Cross-Domain-Policiesheader
Type Aliases§
- Header
- Header trait