Security and Network Configuration
Use these sections to constrain callers on supported public proxy handlers, control browser origins, apply payload limits on the currently supported LLM proxy paths, and identify repeated bot-like traffic. They do not replace a network perimeter around the listener or its management endpoints.
IP allowlist
ip_allowlist:
cidrs:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.1.0/24
- 203.0.113.42/32
trust_proxy_depth: 1
| Field | Type | Notes |
|---|---|---|
cidrs | string[] | IPv4 or IPv6 CIDR ranges to allow. |
trust_proxy_depth | integer | Number of trusted proxy hops to skip in X-Forwarded-For. |
Use trust_proxy_depth carefully. Setting it too high lets untrusted callers spoof client IPs.
ip_allowlist runs on public proxy handlers that invoke the shared
request-state checks. Health, configuration, and administrative endpoints do
not pass through this allowlist; protect the whole listener with deployment
network controls when those surfaces must be restricted.
CORS
cors:
enabled: true
allow_origins:
- https://app.example.com
- https://staging.example.com
allow_methods:
- GET
- POST
- OPTIONS
allow_headers:
- Content-Type
- Authorization
- X-Custom-Header
expose_headers:
- X-Request-Id
- X-RateLimit-Remaining
allow_credentials: true
max_age_seconds: 3600
| Field | Type | Notes |
|---|---|---|
enabled | boolean | Turn CORS headers on or off. |
allow_origins | string[] | Explicit origin allow-list. |
allow_methods | string[] | HTTP methods to allow. |
allow_headers | string[] | Allowed request headers. |
expose_headers | string[] | Response headers exposed to browser JavaScript. |
allow_credentials | boolean | Allow credentialed requests. |
max_age_seconds | integer | Preflight cache duration. |
When allow_credentials: true, do not use * in allow_origins.
Size limits
size_limits:
max_body_bytes: 1048576
max_header_bytes: 8192
max_url_bytes: 4096
max_response_bytes: 10485760
| Field | Type | Notes |
|---|---|---|
max_body_bytes | integer | Maximum raw request body size. |
max_header_bytes | integer | Maximum header block size. |
max_url_bytes | integer | Maximum request URL length. |
max_response_bytes | integer | Maximum upstream response body size. |
Request body, header, and URL limits currently run only on Chat Completions and
return HTTP 413 when exceeded. The response limit runs on buffered Chat
Completions and Responses requests; an oversized buffered response returns
HTTP 502 with response_size_exceeded, while a streaming response receives a
terminal SSE error before the stream is aborted. These fields do not provide a
gateway-wide payload limit for other request families. See
Rate Limits Configuration for
the full runtime boundary.
Bot detector
bot-detector fingerprints requests using selected headers, compares similar requests inside a rolling window, and either warns or blocks when the traffic looks automated.
pack:
name: config-security-network-example-8
version: 1.0.0
enabled: true
policies:
chain:
- bot-detector
policy:
bot-detector:
fingerprint_fields:
- user-agent
- x-forwarded-for
- authorization
profile_window_seconds: 60
similarity_threshold: 0.9
max_requests_per_window: 25
action: block
| Field | Type | Notes |
|---|---|---|
fingerprint_fields | string[] | Headers used to build the request fingerprint. |
profile_window_seconds | integer | Rolling window for comparison and counting. |
similarity_threshold | number | How similar requests must be to count as the same bot-like source. |
max_requests_per_window | integer | Maximum similar requests allowed in one window. |
action | string | warn or block. |
Complete security configuration example
pack:
name: secured-gateway
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-prod
provider: openai
model: gpt-5.4-mini
secret_key_ref:
env: KEEPTRUSTS_OPENAI_API_KEY
ip_allowlist:
cidrs:
- 10.0.0.0/8
- 172.16.0.0/12
trust_proxy_depth: 1
cors:
enabled: true
allow_origins:
- https://app.example.com
allow_methods:
- POST
- OPTIONS
allow_headers:
- Content-Type
- Authorization
allow_credentials: true
max_age_seconds: 7200
size_limits:
max_body_bytes: 2097152
max_header_bytes: 16384
max_url_bytes: 8192
max_response_bytes: 20971520
policies:
chain:
- bot-detector
- prompt-injection
- pii-detector
policy:
bot-detector:
fingerprint_fields:
- user-agent
- x-forwarded-for
- authorization
profile_window_seconds: 60
similarity_threshold: 0.9
max_requests_per_window: 25
action: warn
prompt-injection:
response:
action: block
pii-detector:
action: redact