a port of the beautiful helmet.js in the javascript world.
tower-helmet helps you secure your tower server by setting various HTTP headers. It's not a silver bullet, but it can help!
You can find a list of all available headers under the [header] module. By default (with [HelmetLayer::default]) all of them are enabled. Please take a good look at [ContentSecurityPolicy]. Most of the time you will need to adapt this one to your needs.
```rust use towerhelmet::header::{ContentSecurityPolicy, ExpectCt, XFrameOptions}; use towerhelmet::HelmetLayer;
// default layer with all security headers active let layer = HelmetLayer::default();
// default layer with customizations applied let mut directives = HashMap::new(); directives.insert("default-src", vec!["'self'", "https://example.com"]); directives.insert("img-src", vec!["'self'", "data:", "https://example.com"]); directives.insert("script-src", vec!["'self'", "'unsafe-inline'", "https://example.com"]); let csp = ContentSecurityPolicy { directives, ..Default::default() };
let layer = HelmetLayer::default() .disablestricttransportsecurity() .disablecrossoriginembedderpolicy() .contentsecurity_policy(csp);
// completely blank layer, selectively enable and add headers let layer = HelmetLayer::new() .xframeoptions(XFrameOptions::SameOrigin) .expect_ct(ExpectCt::default()); ```