build(deps): bump tower-http from 0.6.11 to 0.7.0

[dependabot]

Bumps tower-http from 0.6.11 to 0.7.0.

Release notes

Sourced from tower-http's releases.

tower-http-0.7.0

Changes since 0.6.11

Added

• csrf: add cross-site request forgery (CSRF) protection middleware, porting the cross-origin protection scheme introduced in Go 1.25 (#699)

  use tower::ServiceBuilder;
  use tower_http::csrf::CsrfLayer;
  // Rejects cross-origin state-changing requests using Sec-Fetch-Site,
  // an Origin allow-list, and an Origin/Host fallback. No per-request
  // token state required.
  let layer = CsrfLayer::new().add_trusted_origin("https://example.com")?;
  let service = ServiceBuilder::new().layer(layer).service_fn(handler);

• timeout: add DeadlineBody for non-resetting body timeouts, applied via the new RequestBodyDeadlineLayer and ResponseBodyDeadlineLayer (#688)

  Unlike TimeoutBody, which resets its deadline on every frame, DeadlineBody caps the total time of a body transfer. A slow client trickling one byte at a time never trips an idle timeout but will trip a deadline.

  use std::time::Duration;
  use tower::ServiceBuilder;
  use tower_http::timeout::RequestBodyDeadlineLayer;
  // Abort the request body transfer after 30s total, regardless of how
  // frequently data arrives.
  let service = ServiceBuilder::new()
  .layer(RequestBodyDeadlineLayer::new(Duration::from_secs(30)))
  .service_fn(handler);

• fs: add strong ETag support to ServeDir, including If-Match and If-None-Match precondition handling per RFC 9110. 304 Not Modified responses now carry the ETag and Last-Modified validators (#691)

• fs: add a Backend trait to make ServeDir work with non-filesystem sources (e.g. embedded assets or object storage). The default TokioBackend preserves existing behavior. Use ServeDir::with_backend() to plug in custom implementations (#684)

  use tower_http::services::fs::ServeDir;
  // MyBackend implements tower_http::services::fs::Backend.
  // The default ServeDir::new() continues to use TokioBackend (local FS).
  let service = ServeDir::with_backend("assets", MyBackend::new());

• fs: add html_as_default_extension option to ServeDir, appending .html when the request path has no extension (#519)

• fs: add redirect_path_prefix option to ServeDir, prepending a prefix on trailing-slash redirects so the service can be mounted under a sub-path (#486)

• validate-request: add ValidateRequestHeaderLayer::has_header_value() to reject requests when a header does not have an expected value (#360)

• body: UnsyncBoxBody::new() constructor and From<ServeFileSystemResponseBody> conversion to avoid double-boxing when combining ServeDir responses with other body types (#537)

• limit: implement Default for limit::ResponseBody when the wrapped body also implements Default (#679)

Changed

... (truncated)

Commits

• b194fcf v0.7.0
• af828a6 feat(follow_redirect)!: preserve request extensions across redirects (#706)
• 8cb8d99 feat(ValidateRequestHeaderLayer): add has_header("...").with_value("...") fun...
• 3b56d2d feat!: Add configurable Backend trait for ServeDir, bump MSRV 1.65 (#684)
• 8508716 Add redirect_path_prefix option (#486)
• 56327b2 Add Windows drive-prefix path regression test (#705)
• 54c6db8 feat(compression)!: upgrade SizeAbove threshold from u16 to u64 (#704)
• 68cd6d8 Add DeadlineBody for non-resetting body timeouts (#688)
• fa8a98c feat(fs): add strong ETag support to ServeDir (#691)
• 36d2205 fix: Make SetMultiple*Header Clone for !Clone http bodies (#703)
• Additional commits viewable in compare view

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[maiconburn]

@dependabot rebase

[maiconburn]

Superseded by #1030 (batched into one PR for combined review).

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.