Skip to content

TT-16229 update tyk.conf example #7603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lghiur merged 1 commit into from
Dec 9, 2025
Merged

TT-16229 update tyk.conf example #7603

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tyk.conf.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
"allow_explicit_policy_id": true
},
"http_server_options": {
"xff_depth": 1,

Check warning on line 35 in tyk.conf.example

View check run for this annotation

probelabs / Visor: security

security Issue 

The `xff_depth` setting has been added to the example configuration without comments explaining its function or security implications. This setting controls which IP address is selected from the `X-Forwarded-For` header. Misconfiguring this value can lead to IP address spoofing, potentially allowing attackers to bypass IP-based security controls such as rate limiting or access rules.
Raw output 
Add a comment explaining that `xff_depth` must be set to the number of trusted, non-spoofable proxies between the client and the Tyk gateway. Provide guidance on how to determine the correct value for common deployment scenarios (e.g., behind a single load balancer).

Example comment:
`// xff_depth defines how many trusted proxies are in front of Tyk. Set this to the number of proxies to correctly identify the client IP from the X-Forwarded-For header. A common value is 1 when running behind a single load balancer. An incorrect value can lead to IP spoofing.`

Check warning on line 35 in tyk.conf.example

View check run for this annotation

probelabs / Visor: quality

documentation Issue 

The `xff_depth` option has been added to the example configuration without a comment explaining its function. This can lead to user confusion, as the choice of which IP to trust from the `X-Forwarded-For` header has security implications. A value of `1` means trusting the last IP in the chain, which is correct for common deployments behind a single trusted proxy.
Raw output 
Add a comment explaining the `xff_depth` setting. For example: `// Determines which IP to trust from the X-Forwarded-For header. A value of 1 selects the last IP, suitable for deployments behind a trusted proxy.`
"enable_strict_routes": true,
"enable_path_prefix_matching": true,
"enable_path_suffix_matching": true
Expand Down
Loading