Skip to content
Critiq Docs

Search docs

Search documentation pages and rules

security.misconfiguration

Enable trust proxy for publicly bound Fastify servers

Fastify instances listening on all interfaces should enable trustProxy or terminate behind a reverse proxy you register in code.

#Metadata

Rule ID
ts.security.fastify-public-bind-without-trust-proxy
Severity
medium
Confidence
0.74
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
experimental
Applies to
block
Tags
fastify, rules-catalog, security

#Why it matters

Without trustProxy, client IP and protocol metadata from an edge proxy are easy to misread, and public binds amplify exposure when the process is not intentionally perimeter-hardened.

#Remediation

Set trustProxy when running behind a reverse proxy, prefer non-public bind addresses in development, or register an explicit Fastify proxy plugin so client metadata and TLS termination assumptions stay correct.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.fastify-public-bind-without-trust-proxy.rule.yaml.

Back to directoryOpen rule in repository