Skip to content

Make HeaderValue::set_sensitive available in const contexts #808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
archer-321 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Make HeaderValue::set_sensitive available in const contexts #808

archer-321 wants to merge 1 commit into from
+6 −1

Conversation

@archer-321
Copy link

@archer-321 archer-321 commented Dec 19, 2025
edited
Loading

Make HeaderValue::set_sensitive const to allow applications to embed sensitive header values statically.

Considering embedded client secrets are generally a red flag, add a comment to the method's documentation to urge developers not to consider embedded sensitive values secure. const use of set_sensitive should be limited to use cases where the developer is aware that the embedded secret will be world-readable.

This PR implements #807

@archer-321 archer-321 mentioned this pull request Dec 19, 2025
Open
@seanmonstar
Copy link
Member

seanmonstar commented Dec 19, 2025

The MSRV doesn't like the cosnt { } expressions. I'd suggest just leaving the test case out, it doesn't do much.

@archer-321
feat(header): make HeaderValue::set_sensitive const
c837995 
Some applications like OAuth clients for GitHub or Forgejo are forced to
embed a client password into the application, even if the client is
considered public. Make `HeaderValue::set_sensitive` available in const
contexts to allow applications to mark embedded headers as sensitive.

Warn developers in `set_sensitive`'s documentation that embedded secrets
are trivial to dump and should not be considered secure.

Closes: hyperium#807
@archer-321 archer-321 force-pushed the feature/set_sensitive-const branch from d22829c to c837995 Compare December 19, 2025 18:16
@archer-321
Copy link
Author

archer-321 commented Dec 19, 2025

The MSRV doesn't like the cosnt { } expressions. I'd suggest just leaving the test case out, it doesn't do much.

Oops, I didn't remember inline-const was this recent of an addition. Updated!

@seanmonstar
Copy link
Member

seanmonstar commented Dec 19, 2025

mutable references are not allowed in constant functions

Oh that's interesting... was that relaxed in newer versions?

@archer-321
Copy link
Author

archer-321 commented Dec 19, 2025

It seems like this was added in Rust 1.83: https://blog.rust-lang.org/2024/11/28/Rust-1.83.0/#new-const-capabilities

In this case, this PR would have to be put on hold until the MSRV is increased in the future. Personally, I wouldn't consider this change important enough to warrant an MSRV bump on its own.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@archer-321 @seanmonstar