Struct tower_http::cors::CorsLayer

source ·
pub struct CorsLayer { /* private fields */ }
Expand description

Layer that applies the Cors middleware which adds headers for CORS.

See the module docs for an example.

Implementations§

source§

impl CorsLayer

source

pub fn new() -> Self

Create a new CorsLayer.

No headers are sent by default. Use the builder methods to customize the behavior.

You need to set at least an allowed origin for browsers to make successful cross-origin requests to your service.

source

pub fn permissive() -> Self

A permissive configuration:

  • All request headers allowed.
  • All methods allowed.
  • All origins allowed.
  • All headers exposed.
source

pub fn very_permissive() -> Self

A very permissive configuration:

  • Credentials allowed.
  • The method received in Access-Control-Request-Method is sent back as an allowed method.
  • The origin of the preflight request is sent back as an allowed origin.
  • The header names received in Access-Control-Request-Headers are sent back as allowed headers.
  • No headers are currently exposed, but this may change in the future.
source

pub fn allow_credentials<T>(self, allow_credentials: T) -> Selfwhere T: Into<AllowCredentials>,

Set the Access-Control-Allow-Credentials header.

use tower_http::cors::CorsLayer;

let layer = CorsLayer::new().allow_credentials(true);
source

pub fn allow_headers<T>(self, headers: T) -> Selfwhere T: Into<AllowHeaders>,

Set the value of the Access-Control-Allow-Headers header.

use tower_http::cors::CorsLayer;
use http::header::{AUTHORIZATION, ACCEPT};

let layer = CorsLayer::new().allow_headers([AUTHORIZATION, ACCEPT]);

All headers can be allowed with

use tower_http::cors::{Any, CorsLayer};

let layer = CorsLayer::new().allow_headers(Any);

Note that multiple calls to this method will override any previous calls.

Also note that Access-Control-Allow-Headers is required for requests that have Access-Control-Request-Headers.

source

pub fn max_age<T>(self, max_age: T) -> Selfwhere T: Into<MaxAge>,

Set the value of the Access-Control-Max-Age header.

use std::time::Duration;
use tower_http::cors::CorsLayer;

let layer = CorsLayer::new().max_age(Duration::from_secs(60) * 10);

By default the header will not be set which disables caching and will require a preflight call for all requests.

Note that each browser has a maximum internal value that takes precedence when the Access-Control-Max-Age is greater. For more details see mdn.

If you need more flexibility, you can use supply a function which can dynamically decide the max-age based on the origin and other parts of each preflight request:

use std::time::Duration;

use http::{request::Parts as RequestParts, HeaderValue};
use tower_http::cors::{CorsLayer, MaxAge};

let layer = CorsLayer::new().max_age(MaxAge::dynamic(
    |_origin: &HeaderValue, parts: &RequestParts| -> Duration {
        // Let's say you want to be able to reload your config at
        // runtime and have another middleware that always inserts
        // the current config into the request extensions
        let config = parts.extensions.get::<MyServerConfig>().unwrap();
        config.cors_max_age
    },
));
source

pub fn allow_methods<T>(self, methods: T) -> Selfwhere T: Into<AllowMethods>,

Set the value of the Access-Control-Allow-Methods header.

use tower_http::cors::CorsLayer;
use http::Method;

let layer = CorsLayer::new().allow_methods([Method::GET, Method::POST]);

All methods can be allowed with

use tower_http::cors::{Any, CorsLayer};

let layer = CorsLayer::new().allow_methods(Any);

Note that multiple calls to this method will override any previous calls.

source

pub fn allow_origin<T>(self, origin: T) -> Selfwhere T: Into<AllowOrigin>,

Set the value of the Access-Control-Allow-Origin header.

use http::HeaderValue;
use tower_http::cors::CorsLayer;

let layer = CorsLayer::new().allow_origin(
    "http://example.com".parse::<HeaderValue>().unwrap(),
);

Multiple origins can be allowed with

use tower_http::cors::CorsLayer;

let origins = [
    "http://example.com".parse().unwrap(),
    "http://api.example.com".parse().unwrap(),
];

let layer = CorsLayer::new().allow_origin(origins);

All origins can be allowed with

use tower_http::cors::{Any, CorsLayer};

let layer = CorsLayer::new().allow_origin(Any);

You can also use a closure

use tower_http::cors::{CorsLayer, AllowOrigin};
use http::{request::Parts as RequestParts, HeaderValue};

let layer = CorsLayer::new().allow_origin(AllowOrigin::predicate(
    |origin: &HeaderValue, _request_parts: &RequestParts| {
        origin.as_bytes().ends_with(b".rust-lang.org")
    },
));

Note that multiple calls to this method will override any previous calls.

source

pub fn expose_headers<T>(self, headers: T) -> Selfwhere T: Into<ExposeHeaders>,

Set the value of the Access-Control-Expose-Headers header.

use tower_http::cors::CorsLayer;
use http::header::CONTENT_ENCODING;

let layer = CorsLayer::new().expose_headers([CONTENT_ENCODING]);

All headers can be allowed with

use tower_http::cors::{Any, CorsLayer};

let layer = CorsLayer::new().expose_headers(Any);

Note that multiple calls to this method will override any previous calls.

source

pub fn vary<T>(self, headers: T) -> Selfwhere T: Into<Vary>,

Set the value(s) of the Vary header.

In contrast to the other headers, this one has a non-empty default of preflight_request_headers().

You only need to set this is you want to remove some of these defaults, or if you use a closure for one of the other headers and want to add a vary header accordingly.

Trait Implementations§

source§

impl Clone for CorsLayer

source§

fn clone(&self) -> CorsLayer

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for CorsLayer

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Default for CorsLayer

source§

fn default() -> Self

Returns the “default value” for a type. Read more
source§

impl<S> Layer<S> for CorsLayer

§

type Service = Cors<S>

The wrapped service
source§

fn layer(&self, inner: S) -> Self::Service

Wrap the given service with the middleware, returning a new service that has been decorated with the middleware.

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for Twhere T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for Twhere T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for Twhere T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for Twhere U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for Twhere T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for Twhere U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for Twhere U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.