Skip to content

Tyk Gateway v2.3.5 and Tyk Dashboard v1.3.5
Compare
Choose a tag to compare
@buger buger released this 11 May 13:19
· 3078 commits to master since this release
v2.3.5
b3afd4e

Tyk Gateway v2.3.5

  • New: Added http_server_options.ssl_insecure_skip_verify boolean option to allow self-signed certificates for Gateway. #693
  • New: Added proxy_ssl_insecure_skip_verify boolean option to skip SSL check for upstream APIs with self-signed certificates. #693
  • Fix: Control API was not working when both hostname and control_api_hostname set. #670
  • Fix: Uptime tests when failure_trigger_sample_size set to 1. #632
  • Fix: Uptime tests when uptime_tests.time_wait is not explicitly set in config. #669
  • Fix: Log flooding when management_node is turned on. #660
  • Fix: /keys/* endpoint when api_id param is provided but API not loaded on this node (due to tags). Now tagged gateways have access to all keys. #663
  • Fix: Reduced default values for uptime test in default tyk.config. Old ones has 20 minutes wait time. #668
  • Fix: Duplicated hostnames in uptime logs. #678
  • Fix: IP whitelisting using X-Fowarder-IP header. #704
  • Fix: Potential memory leak in hot reload with JSVM enabled. #496

Tyk Dashboard v1.3.5

New: Dashboard and Portal login rate limiting

Login rate limiting applies both to dashboard and developer portal.
Once user reached limit, they will see an error, and will not be able to login into dashboard/portal.

Added new configuration section:

"security": {
  "login_failure_username_limit": 3,
  "login_failure_ip_limit": 10,
  "login_failure_expiration": 900
}

By default, limit values are zero and login_failure_expiration is 15 minutes (900).

New: Audit log

Now you can enable audit log by setting security.audit_log_path configuration option. It will log all user actions and responses statuses to it. Security information like password gets removed from this log.

Other

  • New: Added new host_config.secure_cookie boolean option which enables "secure" cookies, working only under https.
  • Fix: Dashboard for authorization now internally uses HTTP Only cookies instead of Headers to improve defense against Cross-Site scripting attacks.
  • Fix: Ensure that API responses not cached by explicitly adding Cache-Control: no-cache header.
  • Fix: Potential Content-Type sniffing issues by setting X-Content-Type-Options: nosniff header.
  • Set proper mime types for font assets.
  • Fix: Deny API Catalogue documentation access, if catalog was set to inactive or portal is only for logged-in users.
  • Fix: Policy selector in the developer view only shows 10 policies, it should show all of them.
  • Fix: Saving developer should not flush their password.
  • Fix: Fix broken URLs to get free or commercial license on first start screen.
  • Fix: Use canonical casing for X-Frame-Options header.
  • Fix: Improved protection for Cross-Frame scripting.
  • Fix: Fixed checks for duplicate listen path and slugs (including Swagger import). To make it work, ensure that enable_duplicate_slugs option is set to false.
  • Fix: Swagger APIs import now properly set Slug and ListenPath based on basePath.
  • Fix: Attached key to a policy does not inherit the expiration date.
  • UX: Hide access token generator for disabled users.
Assets 2
Loading