-
Notifications
You must be signed in to change notification settings - Fork 8
Expand file tree
/
Copy pathtrusted-server.toml
More file actions
193 lines (161 loc) · 6.68 KB
/
trusted-server.toml
File metadata and controls
193 lines (161 loc) · 6.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
[[handlers]]
path = "^/secure"
username = "user"
password = "pass"
[[handlers]]
path = "^/admin"
username = "admin"
password = "changeme"
[publisher]
domain = "test-publisher.com"
cookie_domain = ".test-publisher.com"
origin_url = "https://origin.test-publisher.com"
proxy_secret = "change-me-proxy-secret"
[edge_cookie]
secret_key = "trusted-server"
# Custom headers to be included in every response
# Allows publishers to include tags such as X-Robots-Tag: noindex
# [response_headers]
# X-Custom-Header = "custom header value"
#
# Or via environment variable (JSON preserves header name casing and hyphens):
# TRUSTED_SERVER__RESPONSE_HEADERS='{"X-Robots-Tag": "noindex", "X-Custom-Header": "custom value"}'
# Request Signing Configuration
# Enable signing of OpenRTB requests and other API calls
[request_signing]
enabled = false # Set to true to enable request signing
config_store_id = "<fastly-config-store-id>" # set config/secret store ids for key rotation
secret_store_id = "<fastly-secret-store-id>"
[integrations.prebid]
enabled = true
server_url = "http://68.183.113.79:8000"
timeout_ms = 1000
bidders = ["kargo", "appnexus", "openx"]
debug = false
# test_mode = false
# debug_query_params = ""
# script_patterns = ["/prebid.js"]
# Bidders that run client-side via native Prebid.js adapters instead of
# being routed through the server-side auction. Their adapter modules must
# be statically imported in the JS bundle.
client_side_bidders = ["rubicon"]
# Zone-specific bid param overrides for Kargo s2s placement IDs.
# The JS adapter reads the zone from mediaTypes.banner.name on each ad unit
# and includes it in the request. The server maps zone → s2s placementId here.
[integrations.prebid.bid_param_zone_overrides.kargo]
# header = {placementId = "_abc"}
[integrations.nextjs]
enabled = false
rewrite_attributes = ["href", "link", "siteBaseUrl", "siteProductionDomain", "url"]
# Maximum combined payload size for cross-script RSC processing (bytes). Default is 10 MB.
max_combined_payload_bytes = 10485760
[integrations.testlight]
endpoint = "https://testlight.example/openrtb2/auction"
timeout_ms = 1200
rewrite_scripts = true
[integrations.didomi]
enabled = false
sdk_origin = "https://sdk.privacy-center.org"
api_origin = "https://api.privacy-center.org"
[integrations.permutive]
enabled = false
organization_id = ""
workspace_id = ""
project_id = ""
api_endpoint = "https://api.permutive.com"
secure_signals_endpoint = "https://secure-signals.permutive.app"
[integrations.lockr]
enabled = false
app_id = ""
api_endpoint = "https://identity.loc.kr"
sdk_url = "https://aim.loc.kr/identity-lockr-trust-server.js"
cache_ttl_seconds = 3600
rewrite_sdk = true
# DataDome bot protection integration
# Proxies tags.js and signal collection API through first-party context
# Endpoints:
# GET /integrations/datadome/tags.js - Proxied SDK script
# ANY /integrations/datadome/js/* - Signal collection API
[integrations.datadome]
enabled = false
sdk_origin = "https://js.datadome.co"
api_origin = "https://api-js.datadome.co"
cache_ttl_seconds = 3600
rewrite_sdk = true
[integrations.gpt]
enabled = false
script_url = "https://securepubads.g.doubleclick.net/tag/js/gpt.js"
cache_ttl_seconds = 3600
rewrite_script = true
# Consent forwarding configuration
# Controls how Trusted Server interprets and forwards privacy consent signals.
# All values shown below are the defaults — uncomment to override.
# [consent]
# mode = "interpreter" # "interpreter" (decode + forward) or "proxy" (raw passthrough)
# check_expiration = true # Check TCF consent freshness
# max_consent_age_days = 395 # Max age before consent is treated as expired (~13 months)
# [consent.gdpr]
# applies_in = ["AT","BE","BG","HR","CY","CZ","DK","EE","FI","FR","DE","GR","HU","IE","IT","LV","LT","LU","MT","NL","PL","PT","RO","SK","SI","ES","SE","IS","LI","NO","GB"]
# [consent.us_states]
# privacy_states = ["CA","VA","CO","CT","UT","MT","OR","TX","FL","DE","IA","NE","NH","NJ","TN","MN","MD","IN","KY","RI"]
# [consent.us_privacy_defaults]
# notice_given = true # Has publisher actually shown CCPA notice?
# lspa_covered = false # Is publisher subject to LSPA?
# gpc_implies_optout = true # Should Sec-GPC: 1 trigger opt-out?
# [consent.conflict_resolution]
# mode = "restrictive" # "restrictive" | "newest" | "permissive"
# freshness_threshold_days = 30
# KV Store consent persistence (requires a KV store named "consent_store" in fastly.toml)
# consent_store = "consent_store"
# Rewrite configuration for creative HTML/CSS processing
# [rewrite]
# Domains to exclude from first-party rewriting (supports wildcards like "*.example.com")
# URLs from these domains will be left as-is and not proxied
# exclude_domains = [
# "*.edgecompute.app",
# ]
# Proxy configuration
[proxy]
# Enable TLS certificate verification when proxying to HTTPS origins.
# Defaults to true. Set to false only for local development with self-signed certificates.
# certificate_check = true
# Restrict redirect destinations for the first-party proxy to an explicit domain allowlist.
# Supports exact match ("example.com") and subdomain wildcard prefix ("*.example.com").
# Wildcard prefix also matches the apex domain ("*.example.com" matches "example.com").
# Matching is case-insensitive. A dot-boundary check prevents "*.example.com" from
# matching "evil-example.com".
# When omitted or empty, redirect destinations are unrestricted — configure this in
# production to prevent SSRF via signed URLs that redirect to internal services.
# Note: this list governs only the first-party proxy redirect chain, not integration
# endpoints defined under [integrations.*].
# allowed_domains = [
# "ad.example.com",
# "*.doubleclick.net",
# "*.googlesyndication.com",
# ]
[auction]
enabled = true
providers = ["prebid"]
# mediator = "adserver_mock" # will use mediator when set
timeout_ms = 2000
# Context keys the JS client is allowed to forward into auction requests.
# Keys not in this list are silently dropped. An empty list blocks all keys.
allowed_context_keys = ["permutive_segments"]
[integrations.aps]
enabled = false
pub_id = "your-aps-publisher-id"
endpoint = "https://origin-mocktioneer.cdintel.com/e/dtb/bid"
timeout_ms = 1000
[integrations.google_tag_manager]
enabled = false
container_id = "GTM-XXXXXX"
# upstream_url = "https://www.googletagmanager.com"
[integrations.adserver_mock]
enabled = false
endpoint = "https://origin-mocktioneer.cdintel.com/adserver/mediate"
timeout_ms = 1000
# Map auction-request context keys to mediation URL query parameters.
# Each key is a context key from the JS client; the value becomes the
# query parameter name. Arrays are joined with commas.
[integrations.adserver_mock.context_query_params]
permutive_segments = "permutive"