Security

The [security] block groups controls that apply before and around request handling: connection caps, how fast clients may send traffic (see Rate limiting for [security.rate_limit]), and response security headers (HSTS, CSP, custom). IP allow/deny lists live under the same top-level [security] table but are documented on IP filtering.

TLS termination and mTLS are configured under [tls]; see TLS.

Separately, the proxy sets trusted X-Forwarded-* headers for backends so downstream services see a consistent client identity and scheme, without trusting spoofed client values.

Connection limit

max_connections caps concurrent client connections. Static — enforced at the acceptor.

YAML
TOML

security:
  max_connections: 512

[security]
max_connections = 512

Security headers

HSTS, CSP, and custom headers attach to responses globally under [security.headers]. There is no per-route security header block in this beta (use global [security.headers] or per-route [routes.headers] for generic add/remove — see Headers).

Example (aligned with compose.toml / compose.yaml):

YAML
TOML

security:
  headers:
    custom:
      - name: "X-Frame-Options"
        value: "DENY"
      - name: "X-Content-Type-Options"
        value: "nosniff"
    hsts:
      enabled: true
      max_age: 31536000
      include_subdomains: false
      preload: false
    csp:
      enabled: true
      policy: "default-src 'self'; script-src 'self' 'unsafe-inline'"

[security.headers]
custom = [
  { name = "X-Frame-Options", value = "DENY" },
  { name = "X-Content-Type-Options", value = "nosniff" },
]

[security.headers.hsts]
enabled = true
max_age = 31536000
include_subdomains = false
preload = false

[security.headers.csp]
enabled = true
policy = "default-src 'self'; script-src 'self' 'unsafe-inline'"

Forwarding headers

The proxy sets trusted X-Forwarded-* values for backends:

X-Forwarded-For: appends the client IP to any existing value (comma-separated), or creates the header.
X-Forwarded-Host: set from the TLS SNI when present; client-supplied values are not trusted and are removed first.
X-Forwarded-Port / X-Forwarded-Proto: derived from the peer connection and scheme.

You do not need to configure these in the config file for standard behavior. Global Headers request add/remove lists are separate from forwarding.

IP filtering: [security.ip_filter] allowlist / denylist
Rate limiting: [security.rate_limit] and per-route overrides
TLS: certificates and mTLS
Configuration overview

Security

Connection limit

Security headers

Forwarding headers

Related