Go to file
Wynd 460eb62db9 Bumped up package version 2023-12-29 12:44:42 +02:00
src add derives 2022-11-09 22:25:18 +01:00
.gitignore initial wip 2021-12-22 19:43:56 +01:00
Cargo.toml Bumped up package version 2023-12-29 12:44:42 +02:00
LICENSE initial wip 2021-12-22 19:43:56 +01:00
README.md overhaul library 2022-04-12 21:41:22 +02:00



Crates.io Documentation License

this is still very work in progress

a port of the beautiful helmet.js in the javascript world.

tower-helmet helps you secure your tower server by setting various HTTP headers. It's not a silver bullet, but it can help!

You can find a list of all available headers under the [header] module. By default (with [HelmetLayer::default]) all of them are enabled. Please take a good look at [ContentSecurityPolicy]. Most of the time you will need to adapt this one to your needs.


use tower_helmet::header::{ContentSecurityPolicy, ExpectCt, XFrameOptions};
use tower_helmet::HelmetLayer;

// default layer with all security headers active
let layer = HelmetLayer::with_defaults();

// default layer with customizations applied
let mut directives = HashMap::new();
directives.insert("default-src", vec!["'self'", "https://example.com"]);
directives.insert("img-src", vec!["'self'", "data:", "https://example.com"]);
directives.insert("script-src", vec!["'self'", "'unsafe-inline'", "https://example.com"]);
let csp = ContentSecurityPolicy {

let layer = HelmetLayer::with_defaults().enable(csp);

// completely blank layer, selectively enable and add headers
let layer = HelmetLayer::blank()