Version: Next

TLS Enforcement / Cleartext Allowlist

The TLS-enforcement control rejects unauthenticated cleartext connections except for explicitly trusted networks.

The current path is:

auth.controls.tls_encryption.allow_cleartext_networks

Enable it with:

auth:
  controls:
    enabled:
      - tls_encryption

Example

auth:
  controls:
    enabled:
      - tls_encryption
    tls_encryption:
      allow_cleartext_networks:
        - 127.0.0.0/8
        - ::1
        - 192.168.0.0/16
        - fd00::/8

Notes:

localhost is only a candidate when the listener and trust boundary make it appropriate; loopback is not a universal proof of safety
old top-level cleartext_networks is no longer the public path
policy-controlled check skips belong under auth.policy.scheduler_guards and check-level skip_if, not in this control-specific allowlist

Example​

Example