Available on crate feature sensitive-headers only.
Expand description

Middlewares that mark headers as sensitive.

Example

use tower_http::sensitive_headers::SetSensitiveHeadersLayer;
use tower::{Service, ServiceExt, ServiceBuilder, service_fn};
use http::{Request, Response, header::AUTHORIZATION};
use hyper::Body;
use std::{iter::once, convert::Infallible};

async fn handle(req: Request<Body>) -> Result<Response<Body>, Infallible> {
    // ...
}

let mut service = ServiceBuilder::new()
    // Mark the `Authorization` header as sensitive so it doesn't show in logs
    //
    // `SetSensitiveHeadersLayer` will mark the header as sensitive on both the
    // request and response.
    //
    // The middleware is constructed from an iterator of headers to easily mark
    // multiple headers at once.
    .layer(SetSensitiveHeadersLayer::new(once(AUTHORIZATION)))
    .service(service_fn(handle));

// Call the service.
let response = service
    .ready()
    .await?
    .call(Request::new(Body::empty()))
    .await?;

Its important to think about the order in which requests and responses arrive at your middleware. For example to hide headers both on requests and responses when using TraceLayer you have to apply SetSensitiveRequestHeadersLayer before TraceLayer and SetSensitiveResponseHeadersLayer afterwards.

use tower_http::{
    trace::TraceLayer,
    sensitive_headers::{
        SetSensitiveRequestHeadersLayer,
        SetSensitiveResponseHeadersLayer,
    },
};
use tower::{Service, ServiceExt, ServiceBuilder, service_fn};
use http::header;
use std::sync::Arc;

let headers: Arc<[_]> = Arc::new([
    header::AUTHORIZATION,
    header::PROXY_AUTHORIZATION,
    header::COOKIE,
    header::SET_COOKIE,
]);

let service = ServiceBuilder::new()
    .layer(SetSensitiveRequestHeadersLayer::from_shared(Arc::clone(&headers)))
    .layer(TraceLayer::new_for_http())
    .layer(SetSensitiveResponseHeadersLayer::from_shared(headers))
    .service_fn(handle);

Structs

Mark headers as sensitive on both requests and responses.
Mark request headers as sensitive.
Mark response headers as sensitive.

Type Definitions

Mark headers as sensitive on both requests and responses.