Skip to content

Update Rust crate tower-http to 0.7.0#23

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/tower-http-0.x
Open

Update Rust crate tower-http to 0.7.0#23
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/tower-http-0.x

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
tower-http dependencies minor 0.6.80.7.0

Release Notes

tower-rs/tower-http (tower-http)

v0.7.0

Compare Source

Changes since 0.6.11

Added

  • csrf: add cross-site request forgery (CSRF) protection middleware, porting the cross-origin protection scheme introduced in Go 1.25 (#​699)

    use tower::ServiceBuilder;
use tower_http::csrf::CsrfLayer;

// Rejects cross-origin state-changing requests using `Sec-Fetch-Site`,
// an `Origin` allow-list, and an `Origin`/`Host` fallback. No per-request
// token state required.
let layer = CsrfLayer::new().add_trusted_origin("https://example.com")?;

let service = ServiceBuilder::new().layer(layer).service_fn(handler);

  • timeout: add DeadlineBody for non-resetting body timeouts, applied via the new RequestBodyDeadlineLayer and ResponseBodyDeadlineLayer (#​688)

    Unlike TimeoutBody, which resets its deadline on every frame, DeadlineBody caps the total time of a body transfer. A slow client trickling one byte at a time never trips an idle timeout but will trip a deadline.

    use std::time::Duration;
use tower::ServiceBuilder;
use tower_http::timeout::RequestBodyDeadlineLayer;

// Abort the request body transfer after 30s total, regardless of how
// frequently data arrives.
let service = ServiceBuilder::new()
    .layer(RequestBodyDeadlineLayer::new(Duration::from_secs(30)))
    .service_fn(handler);

  • fs: add strong ETag support to ServeDir, including If-Match and If-None-Match precondition handling per RFC 9110. 304 Not Modified responses now carry the ETag and Last-Modified validators (#​691)

  • fs: add a Backend trait to make ServeDir work with non-filesystem sources (e.g. embedded assets or object storage). The default TokioBackend preserves existing behavior. Use ServeDir::with_backend() to plug in custom implementations (#​684)

    use tower_http::services::fs::ServeDir;

// `MyBackend` implements `tower_http::services::fs::Backend`.
// The default `ServeDir::new()` continues to use `TokioBackend` (local FS).
let service = ServeDir::with_backend("assets", MyBackend::new());

  • fs: add html_as_default_extension option to ServeDir, appending .html when the request path has no extension (#​519)

  • fs: add redirect_path_prefix option to ServeDir, prepending a prefix on trailing-slash redirects so the service can be mounted under a sub-path (#​486)

  • validate-request: add ValidateRequestHeaderLayer::has_header_value() to reject requests when a header does not have an expected value (#​360)

  • body: UnsyncBoxBody::new() constructor and From<ServeFileSystemResponseBody> conversion to avoid double-boxing when combining ServeDir responses with other body types (#​537)

  • limit: implement Default for limit::ResponseBody when the wrapped body also implements Default (#​679)

Changed

  • breaking: compression: the middleware now handles the * wildcard and identity;q=0 in Accept-Encoding per RFC 9110 §12.5.3. Requests that previously fell back to identity (e.g. *;q=0 or identity;q=0 with no other acceptable encoding) now receive a 406 Not Acceptable response. Clients that explicitly reject all encodings without listing an alternative will see different behavior. (#​693)

  • breaking: compression: upgrade the SizeAbove predicate threshold from u16 to u64, allowing minimum sizes above 64 KiB (#​704)

  • breaking: remove the implicit no-op tokio and async-compression features. These were kept as no-op features in 0.6.x for backwards compatibility after the switch to dep: syntax in #​642. Downstream crates that activate tower-http/tokio or tower http/async-compression should remove those feature entries; the underlying dependencies are still pulled in transitively by the features that need them (e.g. compression-gzip, fs, timeout). (#​628)

  • breaking: trace/classify: include the gRPC error message in tracing output. GrpcCode and GrpcFailureClass are now #[non_exhaustive], and GrpcStatus is exported from the classify module (#​422)

  • breaking: follow-redirect: FollowRedirect now forwards request Extensions to redirected requests instead of dropping them. The Standard policy drops extensions on cross-origin redirections (same-origin keeps them). Opt out with FollowRedirectLayer::preserve_extensions(false); keep specific types with FilterCredentials::allow_extension::<T>() or all of them with keep_all_extensions(). (#​706)

    use tower_http::follow_redirect::FollowRedirectLayer;

// 0.7.0 forwards request `Extensions` across redirects by default.
// Restore the previous behavior (drop all extensions) with:
let layer = FollowRedirectLayer::new().preserve_extensions(false);

  • breaking: follow-redirect: header and extension filtering is now cumulative. A value a policy drops on one hop is no longer replayed on later hops, so FilterCredentials no longer re-sends Cookie/Authorization to a same-origin target reached after cross-origin hop. Custom Policy::on_request impls now see the previous hop's filtered request, not the original. (#​706)

  • trace: DefaultOnRequest, DefaultOnResponse, DefaultOnFailure, and DefaultOnEos now explicitly parent their tracing events to the request span rather than relying on the ambient span context. This fixes intermittent cases where events could appear without their request span attached (#​690)

  • cors: relax the Vary header defaults (#​674)

  • MSRV bumped from 1.64 to 1.65 (#​684)

Fixed

  • fs: ServeDir and ServeFile now emit a Vary: Accept-Encoding response
    header when precompressed serving is configured, ensuring caches correctly
    distinguish between compressed and uncompressed variants (#​692)
  • breaking: services: reject a trailing slash for file paths. File requests with a trailing slash now return 404 Not Found instead of serving the file (#​678)
  • fs: fix ServeDir stripping the file extension when serving with identity encoding (#​686)
  • compression: forward trailers from the inner body after compression finishes, fixing dropped gRPC status trailers (#​685)
  • trace: fire on_eos when the inner body reports is_end_stream with a precise content-length (#​687)
  • on-early-drop: suppress the early-drop guard when is_end_stream is reported after a data frame (#​687)
  • set-header: make SetMultipleRequestHeaders and SetMultipleResponseHeaders Clone for non-Clone HTTP bodies (#​703)

Thanks

New Contributors

v0.6.11

Compare Source

Added

  • set-header: add SetMultipleResponseHeadersLayer and
    SetMultipleResponseHeader for setting multiple response headers at once.
    Supports overriding, appending, and if_not_present modes. Header
    values can be fixed or computed dynamically via closures (#​672)

    use http::{Response, header::{self, HeaderValue}};
use http_body::Body as _;
use tower_http::set_header::response::SetMultipleResponseHeadersLayer;

let layer = SetMultipleResponseHeadersLayer::overriding(vec![
    (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
    (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
        res.body().size_hint().exact()
            .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
    }).into(),
]);

  • set-header: add SetMultipleRequestHeadersLayer and
    SetMultipleRequestHeaders for setting multiple request headers at once,
    mirroring the response-side API (#​677)

  • classify: add From<i32> and From<NonZeroI32> impls for GrpcCode.
    Unrecognized status codes map to GrpcCode::Unknown (#​506)

Changed

  • compression: compress application/grpc-web responses. Previously all
    application/grpc* content types were excluded from compression; now only
    application/grpc (non-web) is excluded (#​408)

Fixed

  • fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests
    when call_fallback_on_method_not_allowed is enabled but no fallback service
    is configured (#​587)
  • fs: remove duplicate cfg attribute on is_reserved_dos_name (#​675)

All PRs

New Contributors

Full Changelog: tower-rs/tower-http@tower-http-0.6.10...tower-http-0.6.11

v0.6.10

Compare Source

Added

  • follow-redirect: expose Attempt::method() and Attempt::previous_method()
    so redirect policies can react to method changes across redirects (e.g.
    POST to GET on 301/303) (#​559)

Fixed

  • Restore tokio and async-compression as no-op features. These will be
    removed next breaking release (#​667)

What's Changed

New Contributors

Full Changelog: tower-rs/tower-http@tower-http-0.6.9...tower-http-0.6.10

v0.6.9

Compare Source

Added:

  • on-early-drop: middleware that detects when a response future or response
    body is dropped before completion (#​636)

    Two events get hooks: the response future being dropped before
    the inner service produces a response, and the response body being
    dropped before reaching end-of-stream.

    Install custom callbacks with OnEarlyDropLayer::builder():

    use http::Request;
use tower_http::on_early_drop::{OnBodyDropFn, OnEarlyDropLayer};

let layer = OnEarlyDropLayer::builder()
    .on_future_drop(|req: &Request<()>| {
        let uri = req.uri().clone();
        move || eprintln!("future dropped for {}", uri)
    })
    .on_body_drop(OnBodyDropFn::new(|req: &Request<()>| {
        let uri = req.uri().clone();
        move |parts: &http::response::Parts| {
            let status = parts.status;
            move || eprintln!("body dropped for {} status {}", uri, status)
        }
    }));

    Or route both events through a trace::OnFailure hook with
    EarlyDropsAsFailures. Place this layer inside a TraceLayer so the
    emitted events inherit the request span:

    use tower::ServiceBuilder;
use tower_http::on_early_drop::{OnEarlyDropLayer, EarlyDropsAsFailures};
use tower_http::trace::{DefaultOnFailure, TraceLayer};

let stack = ServiceBuilder::new()
    .layer(TraceLayer::new_for_http())
    .layer(OnEarlyDropLayer::new(
        EarlyDropsAsFailures::new(DefaultOnFailure::default()),
    ));

  • fs: make AsyncReadBody::with_capacity public (#​415)

Changed:

  • The implicit async-compression feature is removed (#​642)
  • The implicit tokio feature is removed (#​628)
  • fs: no longer auto-enables the tracing crate feature; enable tracing
    explicitly to restore error logging on ServeDir IO failures (#​614)

Fixed

  • trace: restore failure classification at end-of-stream (#​483)
  • follow-redirect: support unicode URLs (swaps iri-string dep for
    url) (#​646)
  • fs: reject reserved Windows DOS device names (CON, COM1, etc.) in
    ServeDir (#​663)

All the PRs

New Contributors

Full Changelog: tower-rs/tower-http@tower-http-0.6.8...tower-http-0.6.9

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants