v0.7.0

Compare Source

Changes since 0.6.11

Added

• csrf: add cross-site request forgery (CSRF) protection middleware, porting the cross-origin protection scheme introduced in Go 1.25 (#​699)

  use tower::ServiceBuilder;
  use tower_http::csrf::CsrfLayer;
  
  // Rejects cross-origin state-changing requests using `Sec-Fetch-Site`,
  // an `Origin` allow-list, and an `Origin`/`Host` fallback. No per-request
  // token state required.
  let layer = CsrfLayer::new().add_trusted_origin("https://example.com")?;
  
  let service = ServiceBuilder::new().layer(layer).service_fn(handler);

• timeout: add DeadlineBody for non-resetting body timeouts, applied via the new RequestBodyDeadlineLayer and ResponseBodyDeadlineLayer (#​688)

  Unlike TimeoutBody, which resets its deadline on every frame, DeadlineBody caps the total time of a body transfer. A slow client trickling one byte at a time never trips an idle timeout but will trip a deadline.

  use std::time::Duration;
  use tower::ServiceBuilder;
  use tower_http::timeout::RequestBodyDeadlineLayer;
  
  // Abort the request body transfer after 30s total, regardless of how
  // frequently data arrives.
  let service = ServiceBuilder::new()
      .layer(RequestBodyDeadlineLayer::new(Duration::from_secs(30)))
      .service_fn(handler);

• fs: add strong ETag support to ServeDir, including If-Match and If-None-Match precondition handling per RFC 9110. 304 Not Modified responses now carry the ETag and Last-Modified validators (#​691)

• fs: add a Backend trait to make ServeDir work with non-filesystem sources (e.g. embedded assets or object storage). The default TokioBackend preserves existing behavior. Use ServeDir::with_backend() to plug in custom implementations (#​684)

  use tower_http::services::fs::ServeDir;
  
  // `MyBackend` implements `tower_http::services::fs::Backend`.
  // The default `ServeDir::new()` continues to use `TokioBackend` (local FS).
  let service = ServeDir::with_backend("assets", MyBackend::new());

• fs: add html_as_default_extension option to ServeDir, appending .html when the request path has no extension (#​519)

• fs: add redirect_path_prefix option to ServeDir, prepending a prefix on trailing-slash redirects so the service can be mounted under a sub-path (#​486)

• validate-request: add ValidateRequestHeaderLayer::has_header_value() to reject requests when a header does not have an expected value (#​360)

• body: UnsyncBoxBody::new() constructor and From<ServeFileSystemResponseBody> conversion to avoid double-boxing when combining ServeDir responses with other body types (#​537)

• limit: implement Default for limit::ResponseBody when the wrapped body also implements Default (#​679)

Changed

• breaking: compression: the middleware now handles the * wildcard and identity;q=0 in Accept-Encoding per RFC 9110 §12.5.3. Requests that previously fell back to identity (e.g. *;q=0 or identity;q=0 with no other acceptable encoding) now receive a 406 Not Acceptable response. Clients that explicitly reject all encodings without listing an alternative will see different behavior. (#​693)

• breaking: compression: upgrade the SizeAbove predicate threshold from u16 to u64, allowing minimum sizes above 64 KiB (#​704)

• breaking: remove the implicit no-op tokio and async-compression features. These were kept as no-op features in 0.6.x for backwards compatibility after the switch to dep: syntax in #​642. Downstream crates that activate tower-http/tokio or tower http/async-compression should remove those feature entries; the underlying dependencies are still pulled in transitively by the features that need them (e.g. compression-gzip, fs, timeout). (#​628)

• breaking: trace/classify: include the gRPC error message in tracing output. GrpcCode and GrpcFailureClass are now #[non_exhaustive], and GrpcStatus is exported from the classify module (#​422)

• breaking: follow-redirect: FollowRedirect now forwards request Extensions to redirected requests instead of dropping them. The Standard policy drops extensions on cross-origin redirections (same-origin keeps them). Opt out with FollowRedirectLayer::preserve_extensions(false); keep specific types with FilterCredentials::allow_extension::<T>() or all of them with keep_all_extensions(). (#​706)

  use tower_http::follow_redirect::FollowRedirectLayer;
  
  // 0.7.0 forwards request `Extensions` across redirects by default.
  // Restore the previous behavior (drop all extensions) with:
  let layer = FollowRedirectLayer::new().preserve_extensions(false);

• breaking: follow-redirect: header and extension filtering is now cumulative. A value a policy drops on one hop is no longer replayed on later hops, so FilterCredentials no longer re-sends Cookie/Authorization to a same-origin target reached after cross-origin hop. Custom Policy::on_request impls now see the previous hop's filtered request, not the original. (#​706)

• trace: DefaultOnRequest, DefaultOnResponse, DefaultOnFailure, and DefaultOnEos now explicitly parent their tracing events to the request span rather than relying on the ambient span context. This fixes intermittent cases where events could appear without their request span attached (#​690)

• cors: relax the Vary header defaults (#​674)

• MSRV bumped from 1.64 to 1.65 (#​684)

Fixed

• fs: ServeDir and ServeFile now emit a Vary: Accept-Encoding response
  header when precompressed serving is configured, ensuring caches correctly
  distinguish between compressed and uncompressed variants (#​692)
• breaking: services: reject a trailing slash for file paths. File requests with a trailing slash now return 404 Not Found instead of serving the file (#​678)
• fs: fix ServeDir stripping the file extension when serving with identity encoding (#​686)
• compression: forward trailers from the inner body after compression finishes, fixing dropped gRPC status trailers (#​685)
• trace: fire on_eos when the inner body reports is_end_stream with a precise content-length (#​687)
• on-early-drop: suppress the early-drop guard when is_end_stream is reported after a data frame (#​687)
• set-header: make SetMultipleRequestHeaders and SetMultipleResponseHeaders Clone for non-Clone HTTP bodies (#​703)

Thanks

• @​jlizen
• @​seun-ja
• @​Oliboy50

New Contributors

• @​muhamadazmy made their first contribution in #​679
• @​Isvane made their first contribution in #​678
• @​xiaoyawei made their first contribution in #​422
• @​dependabot[bot] made their first contribution in #​696
• @​its-the-shrimp made their first contribution in #​519
• @​yawn made their first contribution in #​699
• @​Jesse-Bakker made their first contribution in #​703
• @​junghwan16 made their first contribution in #​705
• @​claraphyll made their first contribution in #​486

v0.6.11

Compare Source

Added

• set-header: add SetMultipleResponseHeadersLayer and
  SetMultipleResponseHeader for setting multiple response headers at once.
  Supports overriding, appending, and if_not_present modes. Header
  values can be fixed or computed dynamically via closures (#​672)

  use http::{Response, header::{self, HeaderValue}};
  use http_body::Body as _;
  use tower_http::set_header::response::SetMultipleResponseHeadersLayer;
  
  let layer = SetMultipleResponseHeadersLayer::overriding(vec![
      (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
      (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
          res.body().size_hint().exact()
              .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
      }).into(),
  ]);

• set-header: add SetMultipleRequestHeadersLayer and
  SetMultipleRequestHeaders for setting multiple request headers at once,
  mirroring the response-side API (#​677)

• classify: add From<i32> and From<NonZeroI32> impls for GrpcCode.
  Unrecognized status codes map to GrpcCode::Unknown (#​506)

Changed

• compression: compress application/grpc-web responses. Previously all
  application/grpc* content types were excluded from compression; now only
  application/grpc (non-web) is excluded (#​408)

Fixed

• fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests
  when call_fallback_on_method_not_allowed is enabled but no fallback service
  is configured (#​587)
• fs: remove duplicate cfg attribute on is_reserved_dos_name (#​675)

All PRs

• ci: fix flaky encoding test, add nightly stress test job by @​jlizen in #​670
• ci: use static timeout in stress-test workflow by @​jlizen in #​671
• Fix serve_dir method not allowed handling when no fallback is configured by @​soerenmeier in #​587
• Do compress grpc-web responses by @​bouk in #​408
• add From impl for GrpcCode by @​gshipilov in #​506
• feat(set_header): refactor and improve multiple header middleware by @​seun-ja in #​672
• Remove duplicate cfg attribute for is_reserved_dos_name by @​GlenDC in #​675
• feat: set multiple request header by @​seun-ja in #​677
• chore: release 0.6.11 by @​jlizen in #​673

New Contributors

• @​gshipilov made their first contribution in #​506
• @​seun-ja made their first contribution in #​672

Full Changelog: tower-rs/tower-http@tower-http-0.6.10...tower-http-0.6.11

v0.6.10

Compare Source

Added

• follow-redirect: expose Attempt::method() and Attempt::previous_method()
  so redirect policies can react to method changes across redirects (e.g.
  POST to GET on 301/303) (#​559)

Fixed

• Restore tokio and async-compression as no-op features. These will be
  removed next breaking release (#​667)

What's Changed

• fix: restore tokio and async-compression as no-op features by @​jlizen in #​667
• fix gate-ing of atomic64 in tests by @​alexanderkjall in #​607
• follow_redirect: expose previous and next request methods by @​lucab in #​559
• chore: release tower-http 0.6.10 by @​jlizen in #​669

New Contributors

• @​lucab made their first contribution in #​559

Full Changelog: tower-rs/tower-http@tower-http-0.6.9...tower-http-0.6.10

v0.6.9

Compare Source

Added:

• on-early-drop: middleware that detects when a response future or response
  body is dropped before completion (#​636)

  Two events get hooks: the response future being dropped before
  the inner service produces a response, and the response body being
  dropped before reaching end-of-stream.

  Install custom callbacks with OnEarlyDropLayer::builder():

  use http::Request;
  use tower_http::on_early_drop::{OnBodyDropFn, OnEarlyDropLayer};
  
  let layer = OnEarlyDropLayer::builder()
      .on_future_drop(|req: &Request<()>| {
          let uri = req.uri().clone();
          move || eprintln!("future dropped for {}", uri)
      })
      .on_body_drop(OnBodyDropFn::new(|req: &Request<()>| {
          let uri = req.uri().clone();
          move |parts: &http::response::Parts| {
              let status = parts.status;
              move || eprintln!("body dropped for {} status {}", uri, status)
          }
      }));

  Or route both events through a trace::OnFailure hook with
  EarlyDropsAsFailures. Place this layer inside a TraceLayer so the
  emitted events inherit the request span:

  use tower::ServiceBuilder;
  use tower_http::on_early_drop::{OnEarlyDropLayer, EarlyDropsAsFailures};
  use tower_http::trace::{DefaultOnFailure, TraceLayer};
  
  let stack = ServiceBuilder::new()
      .layer(TraceLayer::new_for_http())
      .layer(OnEarlyDropLayer::new(
          EarlyDropsAsFailures::new(DefaultOnFailure::default()),
      ));

• fs: make AsyncReadBody::with_capacity public (#​415)

Changed:

• The implicit async-compression feature is removed (#​642)
• The implicit tokio feature is removed (#​628)
• fs: no longer auto-enables the tracing crate feature; enable tracing
  explicitly to restore error logging on ServeDir IO failures (#​614)

Fixed

• trace: restore failure classification at end-of-stream (#​483)
• follow-redirect: support unicode URLs (swaps iri-string dep for
  url) (#​646)
• fs: reject reserved Windows DOS device names (CON, COM1, etc.) in
  ServeDir (#​663)

All the PRs

• ci: update deny action to v2 by @​seanmonstar in #​627
• chore: improve code comments clarity by @​xibeiyoumian in #​626
• ci: Update to actions/checkout v6 by @​tottoto in #​629
• ci: msrv resolver by @​seanmonstar in #​635
• chore: Remove resolved cargo-deny config by @​tottoto in #​631
• ci: Update to cargo-check-external-types 0.4.0 by @​tottoto in #​633
• examples: Use typed default value clap config by @​tottoto in #​634
• examples: Disable unused reqwest feature by @​tottoto in #​632
• examples: Update to reqwest 0.13 by @​tottoto in #​640
• Fix clippy warnings in warp-key-value-store example by @​jplatte in #​637
• ci: Use Swatinem/rust-cache@​v2 to cache by @​tottoto in #​644
• ci: Remove unused working-directory config by @​tottoto in #​645
• Use cargo-deny graph config by @​tottoto in #​639
• Fix: follow redirect unicode in #​646
• doc: remove mention of deprecated bearer method in lib.rs comment by @​VojtaStanek in #​641
• Allow Unicode-3.0 license by @​tottoto in #​648
• fix(docs): typo by @​carlocorradini in #​649
• fix: remove unused GzEncoder import in decompression in #​647
• docs: update Example server in #​652
• Don't automatically enable tracing for fs feature by @​ginnyTheCat in #​614
• examples: Remove unnecessary trait bound by @​tottoto in #​651
• Remove implicit async-compression feature by @​tottoto in #​642
• fix clippy warnings by @​alexanderkjall in #​659
• Check for reserved DOS names by @​Darksonn in #​663
• enable clippy for tower-http and fix current issues by @​GlenDC in #​407
• chore: remove implicit tokio feature by @​WaterWhisperer in #​628
• trace: adds back call to classify_eos on trailers by @​markdingram in #​483
• Make AsyncReadBody::with_capacity public by @​bouk in #​415
• examples: Use axum::body::to_bytes by @​tottoto in #​650
• ci: Remove unnecessary protoc setup by @​tottoto in #​665
• feat(on-early-drop): Add middleware for client early drop detection by @​fbergero in #​636
• chore: release tower-http 0.6.9 by @​jlizen in #​666

New Contributors

• @​xibeiyoumian made their first contribution in #​626
• @​VojtaStanek made their first contribution in #​641
• @​carlocorradini made their first contribution in #​649
• @​ginnyTheCat made their first contribution in #​614
• @​alexanderkjall made their first contribution in #​659
• @​Darksonn made their first contribution in #​663
• @​WaterWhisperer made their first contribution in #​628
• @​bouk made their first contribution in #​415
• @​fbergero made their first contribution in #​636
• @​jlizen made their first contribution in #​666

Full Changelog: tower-rs/tower-http@tower-http-0.6.8...tower-http-0.6.9

v0.6.8

Compare Source

Fixed

• Disable multiple_members in Gzip decoder, since HTTP context only uses one
  member. (#​621)

What's Changed

• Disable multiple_members option for gzip decoder by @​ducaale in #​621
• ci: Pin tracing in MSRV job by @​ducaale in #​622
• ci: Switch cargo-public-api-crates to cargo-check-external-types by @​tottoto in #​613
• Remove deprecated annotations and Refactor From implementations by @​sinder38 in #​608
• v0.6.8 by @​seanmonstar in #​624

New Contributors

• @​sinder38 made their first contribution in #​608

Full Changelog: tower-rs/tower-http@tower-http-0.6.7...tower-http-0.6.8

v0.6.7

Compare Source

Added

• TimeoutLayer::with_status_code(status) to define the status code returned
  when timeout is reached. (#​599)

Deprecated

• auth::require_authorization is too basic for real-world. (#​591)
• TimeoutLayer::new() should be replaced with
  TimeoutLayer::with_status_code(). (Previously was
  StatusCode::REQUEST_TIMEOUT) (#​599)

Fixed

• on_eos is now called even for successful responses. (#​580)
• ServeDir: call fallback when filename is invalid (#​586)
• decompression will not fail when body is empty (#​618)

New Contributors

• @​mladedav made their first contribution in #​580
• @​aryaveersr made their first contribution in #​586
• @​soerenmeier made their first contribution in #​588
• @​gjabell made their first contribution in #​591
• @​FalkWoldmann made their first contribution in #​599
• @​ducaale made their first contribution in #​618

Full Changelog: tower-rs/tower-http@tower-http-0.6.6...tower-http-0.6.7

v0.6.6

Compare Source

Fixed

• compression: fix panic when looking in vary header (#​578)

New Contributors

• @​sulami made their first contribution in #​578

Full Changelog: tower-rs/tower-http@tower-http-0.6.5...tower-http-0.6.6

v0.6.5

Compare Source

Added

• normalize_path: add append_trailing_slash() mode (#​547)

Fixed

• redirect: remove payload headers if redirect changes method to GET (#​575)
• compression: avoid setting vary: accept-encoding if already set (#​572)

New Contributors

• @​daalfox made their first contribution in #​547
• @​mherrerarendon made their first contribution in #​574
• @​linyihai made their first contribution in #​575

Full Changelog: tower-rs/tower-http@tower-http-0.6.4...tower-http-0.6.5

v0.6.4: tower-http 0.6.4

Compare Source

Added

• decompression: Support HTTP responses containing multiple ZSTD frames (#​548)
• The ServiceExt trait for chaining layers onto an arbitrary http service just
  like ServiceBuilderExt allows for ServiceBuilder (#​563)

Fixed

• Remove unnecessary trait bounds on S::Error for Service impls of
  RequestBodyTimeout<S> and ResponseBodyTimeout<S> (#​533)
• compression: Respect is_end_stream (#​535)
• Fix a rare panic in fs::ServeDir (#​553)
• Fix invalid content-lenght of 1 in response to range requests to empty
  files (#​556)
• In AsyncRequireAuthorization, use the original inner service after it is
  ready, instead of using a clone (#​561)

v0.6.3: tower-http 0.6.3

Compare Source

This release was yanked because its definition of ServiceExt was quite unhelpful, in a way that's very unlikely that anybody would start depending on within the small timeframe before this was yanked, but that was technically breaking to change.

v0.6.2

Compare Source

Changed:

• CompressionBody<B> now propagates B's size hint in its http_body::Body
  implementation, if compression is disabled (#​531)
  • this allows a content-length to be included in an HTTP message with this
    body for those cases

New Contributors

• @​musicinmybrain made their first contribution in #​524
• @​SabrinaJewson made their first contribution in #​531

Full Changelog: tower-rs/tower-http@tower-http-0.6.1...tower-http-0.6.2

v0.6.1: v0.6.1

Compare Source

Fixed

• decompression: reuse scratch buffer to significantly reduce allocations and improve performance (#​521)

New Contributors

• @​magurotuna made their first contribution in #​521

v0.6.0: v0.6.0

Compare Source

Changed:

• body module is disabled except for catch-panic, decompression-*, fs, or limit features (BREAKING) (#​477)
• Update to tower 0.5 (#​503)

Fixed

• fs: Precompression of static files now supports files without a file extension (#​507)

v0.5.2: v0.5.2

Compare Source

Added:

• compression: Will now send a vary: accept-encoding header on compressed responses (#​399)
• compression: Support x-gzip as equivalent to gzip in accept-encoding request header (#​467)

Fixed

• compression: Skip compression for range requests (#​446)
• compression: Skip compression for SSE responses by default (#​465)
• cors: Actually keep Vary headers set by the inner service when setting response headers (#​473)
  • Version 0.5.1 intended to ship this, but the implementation was buggy and didn't actually do anything

v0.5.1: v0.5.1

Compare Source

• fs: Support files precompressed with zstd in ServeFile
• trace: Add default generic parameters for ResponseBody and ResponseFuture (#​455)
• trace: Add type aliases HttpMakeClassifier and GrpcMakeClassifier (#​455)

Fixed

• cors: Keep Vary headers set by the inner service when setting response headers (#​398)
• fs: ServeDir now no longer redirects from /directory to /directory/
  if append_index_html_on_directories is disabled (#​421)

v0.5.0: v0.5.0

Compare Source

Changed

• Bump Minimum Supported Rust Version to 1.66 (#​433)
• Update to http-body 1.0 (#​348)
• Update to http 1.0 (#​348)
• Preserve service error type in RequestDecompression (#​368)

Fixed

• Accepts range headers with ranges where the end of range goes past the end of the document by bumping
  http-range-header to 0.4