normogen/thoughts/research/2026-02-14-rust-framework-comparison.md

# Rust Web Framework Research: Actix vs Axum

**Date**: 2026-02-14
**Project**: Normogen - Health Data Tracking Platform
**Goal**: Select Rust web framework for zero-knowledge encrypted API

---

## Research Questions

### Core Requirements for Normogen
1. **Zero-knowledge encryption** - Client-side encryption before server storage
2. **High performance** - Health data processing and aggregation
3. **Type safety** - Critical for healthcare data integrity
4. **Async/await** - For database operations and external API calls
5. **WebSocket support** - Real-time health sensor data
6. **Middleware ecosystem** - Authentication, rate limiting, logging
7. **Database integration** - MongoDB with encryption layer
8. **Security track record** - Critical for health data

---

## Framework Contenders

### 1. Actix Web
**Maturity**: Production-ready since 2017
**Version**: 4.x (stable)
**Based on**: Actix actor framework

**Pros**:
- Proven performance in production
- Large ecosystem and community
- Extensive middleware support
- WebSocket support built-in
- Rich documentation and tutorials
- Powerful extractors system

**Cons**:
- Based on actor model (may be overkill)
- Heavier than alternatives
- Some criticism of unsafe code usage (historically)
- More complex mental model

**Key Questions**:
- How does it handle async database operations?
- What's the middleware story for authentication?
- Performance benchmarks for JSON APIs?
- Memory safety guarantees?

---

### 2. Axum
**Maturity**: Stable since 2021
**Version**: 0.7+ (actively developed)
**Based on**: Tower and Tokio

**Pros**:
- Modern async/await from ground up
- Tower middleware ecosystem (shared with Tonic, Hyper)
- Type-safe routing and extractors
- Simpler mental model
- Built on Tokio (excellent async runtime)
- Growing ecosystem
- Less boilerplate

**Cons**:
- Younger than Actix
- Smaller ecosystem (but growing fast)
- Some advanced features require extra crates
- Less battle-tested in large production systems

**Key Questions**:
- Tower middleware ecosystem maturity?
- Performance comparison to Actix?
- WebSocket support quality?
- MongoDB integration examples?

---

## Decision Criteria for Normogen

### 1. Performance
- Request/response throughput
- Memory efficiency
- Concurrent connection handling
- JSON serialization overhead

### 2. Async Capabilities
- Database connection pooling
- Multiple concurrent database queries
- External API calls (health integrations)
- Background task processing

### 3. Middleware & Authentication
- JWT middleware availability
- Custom authentication flows
- Request logging and tracing
- Rate limiting

### 4. Database Integration
- MongoDB driver compatibility
- Connection pooling
- Transaction support
- Query builder/ORM integration

### 5. Developer Experience
- Error handling ergonomics
- Testing support
- Documentation quality
- Community size and responsiveness

### 6. Security Track Record
- CVE history
- Memory safety guarantees
- Security audit results
- Adoption in security-critical applications

### 7. Real-time Features
- WebSocket support quality
- SSE (Server-Sent Events)
- Connection management
- Scaling real-time connections

---

## Research Needed

### Performance Benchmarks
- TechEmpower Framework Benchmarks 2025
- Real-world performance comparisons
- Memory usage under load
- WebSocket performance

### Community & Ecosystem
- GitHub stars and activity
- Crate maintenance status
- Available middleware crates
- Third-party integrations

### MongoDB Integration
- Available MongoDB drivers
- Connection pooling libraries
- ODM options
- Encryption layer integration

### Authentication Libraries
- JWT crate compatibility
- OAuth2/OpenID Connect support
- Session management options
- Custom auth flow examples

### WebSocket Implementation
- Quality of WebSocket implementations
- Connection stability
- Message throughput
- Scaling strategies

---

## Comparison Matrix

| Feature | Actix Web | Axum |
|---------|-----------|------|
| Performance | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Learning Curve | ⭐⭐⭐ | ⭐⭐⭐⭐ |
| Ecosystem | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| Modern Async | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Middleware | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| Documentation | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| WebSocket | ⭐⭐⭐⭐⭐ | ⭐⭐⭐⭐ |
| Type Safety | ⭐⭐⭐⭐ | ⭐⭐⭐⭐⭐ |
| Simplicity | ⭐⭐⭐ | ⭐⭐⭐⭐⭐ |

---

## Open Questions

### For Actix:
1. How complex is the actor model for simple REST APIs?
2. What's the memory safety story with unsafe code?
3. Is the performance gain worth the complexity?
4. How well does it integrate with Tower middleware?

### For Axum:
1. Is Tower middleware mature enough for production?
2. What's the performance delta vs Actix?
3. Are there enough third-party crates?
4. How stable is the API long-term?

---

## Research Tasks

- [ ] Search for 2024-2025 performance benchmarks
- [ ] Review MongoDB integration patterns for both
- [ ] Examine authentication middleware options
- [ ] Check WebSocket implementation quality
- [ ] Look for health/medical projects using each
- [ ] Review security audit results
- [ ] Examine error handling patterns
- [ ] Check testing framework integration

---

## Sources to Research

1. Official documentation for both frameworks
2. TechEmpower Framework Benchmarks
3. GitHub repositories and issues
4. Reddit/rust and Discord community discussions
5. Blog posts from Rust developers
6. Case studies from production deployments
7. Security advisories and CVE reports
8. Crates.io download statistics

---

## Next Steps

Once research is complete, we'll create a scorecard based on:
- Performance (25%)
- Developer Experience (25%)
- Ecosystem Maturity (20%)
- Security Track Record (15%)
- Async/Database Integration (15%)

**Target Decision Date**: TBD
**Decision Maker**: Project team consensus