TT-16229 update tyk.conf example #7603
Merged
probelabs / Visor: security
succeeded
Dec 5, 2025 in 37s
✅ Check Passed (Warnings Found)
security check passed. Found 1 warning, but fail_if condition was not met.
Details
📊 Summary
- Total Issues: 1
- Warning Issues: 1
🔍 Failure Condition Results
Passed Conditions
- global_fail_if: Condition passed
Issues by Category
Security (1)
⚠️ tyk.conf.example:35 - Thexff_depthsetting has been added to the example configuration without comments explaining its function or security implications. This setting controls which IP address is selected from theX-Forwarded-Forheader. Misconfiguring this value can lead to IP address spoofing, potentially allowing attackers to bypass IP-based security controls such as rate limiting or access rules.
Powered by Visor from Probelabs
💡 TIP: You can chat with Visor using /visor ask <your question>
Annotations
Check warning on line 35 in tyk.conf.example
probelabs / Visor: security
security Issue
The `xff_depth` setting has been added to the example configuration without comments explaining its function or security implications. This setting controls which IP address is selected from the `X-Forwarded-For` header. Misconfiguring this value can lead to IP address spoofing, potentially allowing attackers to bypass IP-based security controls such as rate limiting or access rules.
Raw output
Add a comment explaining that `xff_depth` must be set to the number of trusted, non-spoofable proxies between the client and the Tyk gateway. Provide guidance on how to determine the correct value for common deployment scenarios (e.g., behind a single load balancer).
Example comment:
`// xff_depth defines how many trusted proxies are in front of Tyk. Set this to the number of proxies to correctly identify the client IP from the X-Forwarded-For header. A common value is 1 when running behind a single load balancer. An incorrect value can lead to IP spoofing.`
Loading