Expand description
Security and privacy headers for all outgoing responses.
The Shield
fairing provides a typed interface for injecting HTTP
security and privacy headers into all outgoing responses. It takes some
inspiration from helmetjs, a similar piece of middleware for express.
Supported Headers
HTTP Header | Description | Policy | Default? |
---|---|---|---|
X-XSS-Protection | Prevents some reflected XSS attacks. | XssFilter | ✗ |
X-Content-Type-Options | Prevents client sniffing of MIME type. | NoSniff | ✔ |
X-Frame-Options | Prevents clickjacking. | Frame | ✔ |
Strict-Transport-Security | Enforces strict use of HTTPS. | Hsts | ? |
Expect-CT | Enables certificate transparency. | ExpectCt | ✗ |
Referrer-Policy | Enables referrer policy. | Referrer | ✗ |
X-DNS-Prefetch-Control | Controls browser DNS prefetching. | Prefetch | ✗ |
Permissions-Policy | Allows or block browser features. | Permission | ✔ |
? If TLS is enabled in a non-debug profile, HSTS is automatically enabled with its default policy and a warning is logged at liftoff.
Usage
By default, Shield::default()
is attached to all instances Rocket. To
change the default, including removing all Shield
headers, attach a
configured instance of Shield
:
use rocket::shield::Shield;
#[launch]
fn rocket() -> _ {
// Remove all `Shield` headers.
rocket::build().attach(Shield::new())
}
Each header can be configured individually. To enable a particular header,
call the chainable enable()
method
on an instance of Shield
, passing in the configured policy type.
Similarly, to disable a header, call the chainable
disable()
method on an instance of
Shield
:
use time::Duration;
use rocket::http::uri::Uri;
use rocket::shield::{Shield, Referrer, Prefetch, ExpectCt, NoSniff};
let report_uri = uri!("https://report.rocket.rs");
let shield = Shield::default()
.enable(Referrer::NoReferrer)
.enable(Prefetch::Off)
.enable(ExpectCt::ReportAndEnforce(Duration::days(30), report_uri))
.disable::<NoSniff>();
FAQ
-
Which policies should I choose?
See the links in the table above for individual header documentation. The helmetjs docs are also a good resource, and OWASP has a collection of references on these headers.
-
Do I need any headers beyond what
Shield
enables by default?Maybe! The other headers may protect against many important vulnerabilities. Please consult their documentation and other resources to determine if they are needed for your project.
Structs
- The Permissions-Policy header: allow or block the use of browser features.
- A
Fairing
that injects browser security and privacy headers into all outgoing responses.
Enums
- Specifies the origin(s) allowed to access a browser
Feature
viaPermission
. - The Expect-CT header: enables reporting and/or enforcement of Certificate Transparency.
- A browser feature that can be enabled or blocked via
Permission
. - The X-Frame-Options header: helps prevent clickjacking attacks.
- The HTTP Strict-Transport-Security (HSTS) header: enforces strict HTTPS usage.
- The X-DNS-Prefetch-Control header: controls browser DNS prefetching.
- The Referrer-Policy header: controls the value set by the browser for the Referer header.
- The X-XSS-Protection header: filters some forms of reflected XSS attacks. Modern browsers do not support or enforce this header.
Traits
- Trait implemented by security and privacy policy headers.