Expand description
warp-helmet is a security middleware for the Warp web framework that sets various HTTP headers to help protect your app.
warp_helmet::Helmet wraps a Warp filter to automatically set security headers on all responses.
It is based on the Helmet library for Node.js and is highly configurable.
§Usage
use warp::Filter;
use warp_helmet::{Helmet, HelmetFilter};
#[tokio::main]
async fn main() {
let helmet: HelmetFilter = Helmet::default().try_into().unwrap();
let route = helmet.wrap(
warp::path::end().map(|| "Hello, world!")
);
warp::serve(route).run(([127, 0, 0, 1], 3000)).await;
}By default Helmet will set the following headers:
Content-Security-Policy: default-src 'self'; base-uri 'self'; font-src 'self' https: data:; form-action 'self'; frame-ancestors 'self'; img-src 'self' data:; object-src 'none'; script-src 'self'; script-src-attr 'none'; style-src 'self' https: 'unsafe-inline'; upgrade-insecure-requests
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
Origin-Agent-Cluster: ?1
Referrer-Policy: no-referrer
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
X-DNS-Prefetch-Control: off
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 0This might be a good starting point for most users, but it is highly recommended to spend some time with the documentation for each header, and adjust them to your needs.
§Configuration
By default if you construct a new instance of Helmet it will not set any headers.
It is possible to configure Helmet to set only the headers you want, by using the add method.
use warp::Filter;
use warp_helmet::{Helmet, HelmetFilter, ContentSecurityPolicy, CrossOriginOpenerPolicy};
#[tokio::main]
async fn main() {
let helmet: HelmetFilter = Helmet::new()
.add(
ContentSecurityPolicy::new()
.default_src(vec!["'self'"])
.script_src(vec!["'self'", "https://cdn.example.com"]),
)
.add(CrossOriginOpenerPolicy::same_origin_allow_popups())
.try_into()
.unwrap();
let route = helmet.wrap(
warp::path::end().map(|| "Hello, world!")
);
warp::serve(route).run(([127, 0, 0, 1], 3000)).await;
}Structs§
- Content
Security Policy - Manages
Content-Security-Policyheader - Helmet
- Helmet header configuration wrapper.
- Helmet
Filter - The Warp filter wrapper created by converting a
Helmetconfiguration. - Origin
Agent Cluster - Manages
Origin-Agent-Clusterheader - Strict
Transport Security - Manages
Strict-Transport-Securityheader - XPowered
By - Manages
X-Powered-Byheader - XXSS
Protection - Manages
X-XSS-Protectionheader
Enums§
- Cross
Origin Embedder Policy - Manages
Cross-Origin-Embedder-Policyheader - Cross
Origin Opener Policy - Manages
Cross-Origin-Opener-Policyheader - Cross
Origin Resource Policy - Manages
Cross-Origin-Resource-Policyheader - Helmet
Error - Error returned when a header name or value cannot be converted to a valid HTTP header.
- Referrer
Policy - Manages
Referrer-Policyheader - XContent
Type Options - Manages
X-Content-Type-Optionsheader - XDNS
Prefetch Control - Manages
X-DNS-Prefetch-Controlheader - XDownload
Options - Manages
X-Download-Optionsheader - XFrame
Options - Manages
X-Frame-Optionsheader - XPermitted
Cross Domain Policies - Manages
X-Permitted-Cross-Domain-Policiesheader
Type Aliases§
- Header
- Header trait