a month ago
Hi Railway team,
We recently completed a security audit (OWASP pentest) on our services hosted on Railway. Finding PEN-06 flagged that TLS 1.0 and TLS 1.1 are still accepted by the proxy/load balancer fronting our services. Per RFC 8996, these protocols are deprecated and should be disabled.
Affected projects: marvelous-mercy (humanos-eco + ai-core) and content-cooperation (quebot + sinapsis services).
Could you please disable TLS 1.0 and 1.1 on the proxy layer for our services, enforcing TLS 1.2 as the minimum version?
If this is not configurable per-project, could you confirm whether Railway already enforces TLS 1.2+ globally or if there is a planned timeline for deprecating older TLS versions?
Thank you!
0 Threads mention this feature
1 Replies
a month ago
Our proxy already enforces TLS 1.2 as the minimum version globally, with support for TLS 1.2 and TLS 1.3 only. TLS 1.0 and 1.1 are not accepted. This applies to all services and is not a per-project setting. You can verify this by checking our public networking specs, and your pentest vendor can re-validate by attempting a TLS 1.0/1.1 handshake against your domains.
Status changed to Awaiting User Response Railway • about 1 month ago