← Back to projects

Security

Actix-Web Encryption Middleware

High-performance async middleware for the Rust Actix-web framework providing transparent end-to-end encryption of HTTP payloads. Plug-and-play integration secures data-in-transit without changes to application logic.

Year 2023
Role Author
Status Open Source
Rust Actix-web E2E Encryption Async Middleware
GitHub

Overview

Actix-Web Encryption Middleware provides transparent end-to-end encryption of HTTP request and response bodies for the Actix-web framework. Applications add the middleware to their service stack and get encrypted transport without modifying any handler code.

Motivation

TLS encrypts the channel, not the payload semantics — a TLS-terminating proxy sees plaintext application data. For use cases where the server should be unable to read request bodies (zero-knowledge APIs, client-side encryption schemes), you need payload-level encryption layered on top of TLS.

Design

The middleware intercepts the request body stream, decrypts it before passing control to the handler, then encrypts the response body before writing it to the connection. From the handler's perspective, it is always working with plaintext.

Client (encrypts body)     -> [TLS] -> Server
                                         V
                               Middleware decrypts body
                                         V
                               Handler (sees plaintext)
                                         V
                             Middleware encrypts response
                                         V
Client (decrypts response) <- [TLS] <- Server

Key exchange is handled out-of-band (e.g., a pre-shared key or a separate key agreement endpoint). The middleware is agnostic to the key agreement protocol — it accepts a key provider interface that applications implement.

Cipher. Payloads are encrypted with XChaCha20-Poly1305, an authenticated encryption scheme that combines the XChaCha20 stream cipher with the Poly1305 MAC. The extended 192-bit nonce makes random nonce generation integrally safe at scale. Nonce reuse collisions are computationally implausible even across very large message volumes.

Async Implementation

Actix-web's middleware interface is async. XChaCha20-Poly1305 is fast enough on modern hardware that encryption and decryption run inline on the async thread without spawning to a blocking pool. For very large payloads, the middleware supports streaming decryption to avoid buffering the full body in memory.