We're happy to announce the latest Tyk update - these are patches to tighten up security in our dashboard as well as fix a few minor bugs - full release notes below and on our github releases page:
Tyk Gateway v2.3.4
- Added new
management_node boolean configuration option. When turned on, it will exclude the node from distributed rate limiter.
/tyk/api endpoint, used for managing APIs, now can be accessed without trailing slash to avoid confusion.
Tyk Dashboard v1.3.4: security focused release
- Fix: Deactivating a user now disables their API access and logs them out from existing dashboard sessions.
- Fix: Updating user permissions now does not empty user password.
- Fix: Updating user permissions now updates both current API session and all opened dashboard sessions, and does not require user to re-login.
- User access to OAuth tokens now controlled using separate permission group.
- Disabled auto-completion for all forms with passwords.
- Enable HSTS for all requests to improve HTTPS security.
- Added new
disable_parallel_sessions boolean configuration option. When turned on it allows only one active dashboard session. When a user logs in, all of their other active sessions are automatically logged out.
- Using Admin API you now can set the password. If the password field is empty, it gets ignored.