Rust Actix-Web Hidden Service: High-Performance Backend Guide

Actix-Web security middleware: add middleware for security headers. Create a middleware factory that adds X-Content-Type-Options: nosniff, X-Frame-Options: DENY, X-XSS-Protection: 1; mode=block, and Referrer-Policy: no-referrer to all responses. Bind to localhost only: HttpServer::new(|| App::new()).bind('127.0.0.1:8080'). Never bind to 0.0.0.0 for a hidden service. Request size limits: App::new().app_data(web::JsonConfig::default().limit(1048576)) (1MB JSON limit). Input validation using the validator crate: derive Validate for request structs, call validate() on incoming data.

sqlx provides compile-time checked SQL queries for Rust. Setup: sqlx::Pool as shared application state. Execute queries with compile-time verification: sqlx::query_as!(User, 'SELECT id, username FROM users WHERE id = $1', user_id).fetch_one(&pool).await. Compile-time query checking catches SQL syntax errors during build, not runtime. Connection pool configuration: PgPoolOptions::new().max_connections(5).connect(database_url).await. Store the pool in Actix application data: App::new().app_data(web::Data::new(pool.clone())). Parameterized queries are automatic with sqlx macros - SQL injection prevention is built into the query macro.

Implement JWT authentication middleware. Dependency: jsonwebtoken crate. Token generation: let claims = Claims { sub: user_id.to_string(), exp: expiry }; encode(&Header::default(), &claims, &EncodingKey::from_secret(secret.as_ref())).unwrap(). Verification middleware: extract Authorization header, verify token signature, inject user_id into request extensions. Actix middleware pattern: implement Transform and Service traits for a JWT verification middleware applied to protected routes. Route groups: scope('/api').wrap(JwtMiddleware).service(protected_route).

Compile Rust binary for production: cargo build --release. Binary location: target/release/hidden-service. Deploy to server: scp -P 4499 target/release/hidden-service root@server:/opt/hidden-service/. Create systemd unit: [Service]; Type=simple; User=hiddenservice; WorkingDirectory=/opt/hidden-service; ExecStart=/opt/hidden-service/hidden-service; Restart=always; EnvironmentFile=/etc/hidden-service/env. Nginx reverse proxy: upstream actix { server 127.0.0.1:8080; } server { listen 127.0.0.1:80; location / { proxy_pass http://actix; proxy_read_timeout 120s; } }. Tor torrc: HiddenServicePort 80 127.0.0.1:80.

Actix-Web handles tens of thousands of requests per second on modest hardware. Benchmark with wrk or Apache Bench through localhost (not through Tor for raw server benchmarking). Tuning: increase worker threads in HttpServer::new().workers(num_cpus::get()). For CPU-bound request processing, workers equal to CPU core count is optimal. For I/O-bound workloads (database-heavy), more workers can help. Prometheus metrics via actix-web-prom crate: expose metrics at /metrics endpoint accessible only from localhost. Grafana dashboard for request rate, response time distribution, error rate.