<skill_overview> Apply reusable HTTP middleware with tower-http safely

Adding request/response tracing Configuring CORS Enabling compression or timeouts Propagating request IDs

tower-http GitHub tower-http Docs

</skill_overview> <layer_selection>

Enable only required tower-http features in Cargo.toml Prefer TraceLayer for request spans and latency Use CorsLayer for browser-facing APIs Use TimeoutLayer for external calls and slow handlers

</layer_selection>

Set request IDs early, propagate later Place tracing outside of compression for full visibility Keep security layers (CORS) near the edge

<request_ids>

Use SetRequestIdLayer + PropagateRequestIdLayer Use a consistent header name (X-Request-Id)

</request_ids>

Do not use permissive CORS in production Whitelist origins, methods, and headers explicitly Align allow_credentials with specific origins

Enable compression only for sizable responses Avoid compressing already compressed formats

<anti_patterns> Avoid CorsLayer::permissive in prod Avoid stacking multiple timeouts Avoid logging sensitive headers in TraceLayer </anti_patterns>