Change hard-coded headernames to lowercase

Author: halvko

src/security/csp.rs

@@ -357,9 +357,9 @@ impl ContentSecurityPolicy {
     /// Sets the `Content-Security-Policy` (CSP) HTTP header to prevent cross-site injections
     pub fn apply(&mut self, mut headers: impl AsMut<Headers>) {
         let name = if self.report_only_flag {
-            "Content-Security-Policy-Report-Only"
+            "content-security-policy-report-only"
         } else {
-            "Content-Security-Policy"
+            "content-security-policy"
         };
         headers.as_mut().insert(name, self.value());
     }

src/security/mod.rs

@@ -62,7 +62,7 @@ pub fn default(mut headers: impl AsMut<Headers>) {
 // /// ```
 #[inline]
 pub fn dns_prefetch_control(mut headers: impl AsMut<Headers>) {
-    headers.as_mut().insert("X-DNS-Prefetch-Control", "on");
+    headers.as_mut().insert("x-dns-prefetch-control", "on");
 }
 
 /// Set the frameguard level.
@@ -92,7 +92,7 @@ pub fn frameguard(mut headers: impl AsMut<Headers>, guard: Option<FrameOptions>)
         None | Some(FrameOptions::SameOrigin) => "sameorigin",
         Some(FrameOptions::Deny) => "deny",
     };
-    headers.as_mut().insert("X-Frame-Options", kind);
+    headers.as_mut().insert("x-frame-options", kind);
 }
 
 /// Removes the `X-Powered-By` header to make it slightly harder for attackers to see what
@@ -111,7 +111,7 @@ pub fn frameguard(mut headers: impl AsMut<Headers>, guard: Option<FrameOptions>)
 // /// ```
 #[inline]
 pub fn powered_by(mut headers: impl AsMut<Headers>, value: Option<HeaderValue>) {
-    let name = HeaderName::from_lowercase_str("X-Powered-By");
+    let name = HeaderName::from_lowercase_str("x-powered-by");
     match value {
         Some(value) => {
             headers.as_mut().insert(name, value);
@@ -141,7 +141,7 @@ pub fn powered_by(mut headers: impl AsMut<Headers>, value: Option<HeaderValue>)
 pub fn hsts(mut headers: impl AsMut<Headers>) {
     headers
         .as_mut()
-        .insert("Strict-Transport-Security", "max-age=5184000");
+        .insert("strict-transport-security", "max-age=5184000");
 }
 
 /// Prevent browsers from trying to guess (“sniff”) the MIME type, which can have security
@@ -159,7 +159,7 @@ pub fn hsts(mut headers: impl AsMut<Headers>) {
 // /// ```
 #[inline]
 pub fn nosniff(mut headers: impl AsMut<Headers>) {
-    headers.as_mut().insert("X-Content-Type-Options", "nosniff");
+    headers.as_mut().insert("x-content-type-options", "nosniff");
 }
 
 /// Sets the `X-XSS-Protection` header to prevent reflected XSS attacks.
@@ -176,7 +176,7 @@ pub fn nosniff(mut headers: impl AsMut<Headers>) {
 // /// ```
 #[inline]
 pub fn xss_filter(mut headers: impl AsMut<Headers>) {
-    headers.as_mut().insert("X-XSS-Protection", "1; mode=block");
+    headers.as_mut().insert("x-xss-protection", "1; mode=block");
 }
 
 /// Set the Referrer-Policy level
@@ -232,5 +232,5 @@ pub fn referrer_policy(mut headers: impl AsMut<Headers>, referrer: Option<Referr
 
     // We MUST allow for multiple Referrer-Policy headers to be set.
     // See: https://w3c.github.io/webappsec-referrer-policy/#unknown-policy-values example #13
-    headers.as_mut().append("Referrer-Policy", policy);
+    headers.as_mut().append("referrer-policy", policy);
 }