Crate tower_helmet

Expand description

§Overview

tower-helmet helps you secure your tower server by setting various HTTP headers. It’s not a silver bullet, but it can help!

You can find a list of all available headers under the header module. By default (with HelmetLayer::with_defaults) all of them are enabled. Please take a good look at ContentSecurityPolicy. Most of the time you will need to adapt this one to your needs.

§Examples

use std::collections::HashMap;

use tower_helmet::header::{ContentSecurityPolicy, ExpectCt, XFrameOptions};
use tower_helmet::HelmetLayer;

// default layer with all security headers active
let layer = HelmetLayer::with_defaults();

// default layer with csp customizations applied
let mut directives = HashMap::new();
directives.insert("default-src", vec!["'self'", "https://example.com"]);
directives.insert("img-src", vec!["'self'", "data:", "https://example.com"]);
directives.insert(
    "script-src",
    vec!["'self'", "'unsafe-inline'", "https://example.com"],
);
let csp = ContentSecurityPolicy {
    directives,
    ..Default::default()
};

let layer = HelmetLayer::with_defaults().enable(csp);

// completely blank layer, selectively enable and add headers
let layer = HelmetLayer::blank()
    .enable(XFrameOptions::SameOrigin)
    .enable(ExpectCt::default());

Modules§

header

Structs§

HelmetLayer
HelmetLayer
HelmetService
ResponseFuture
Response future for HelmetService.

Traits§

IntoHeader