1. What is an inbound connection?
    • An inbound connection is the connection, through VGS, to your clientside applications or APIs and the hostname of your server.
  2. What is an outbound connection?
    • An outbound connection is the connection, through VGS, for requests that initiate from your server to third parties (example third-party API calls).
  3. Can the header fields be stripped in the HTTP requests?
    • We can switch on transparent mode for you. In this mode, VGS-request-id and x-forwarded- headers will be excluded from the requests you make.
  4. How quickly do new or updated filters and operations on a route take effect?
    • Edits to the route filters and operations require up to a minute to populate.
  5. Can regular expressions be used for the Pathinfo?
    • Yes, you can use regular expressions for Pathinfo field. If you use regex, please ensure that you use matches option from the drop-down menu.
  6. When should I use the begins with filter?
    • You should use the begins with filter on anything that will not match exactly. For example if I have /users/27, I’d want to do Pathinfo begins with /users because we have unique IDs for each user. Additionally, you may want to check the content-type, if it includes charset=UTF-8 after the mimetype, specifying just the mimetype will not match.
  7. What data types does the access logger selector currently support?
    • JSON, XML and application/x-www-form-urlencoded (not multipart/form-data).
  8. How does Host Matching work compared to Filter Condition and Operation Config Matching?
    • If the request doesn’t match any defined Host, the proxy will respond a 400 and tell you to whitelist the host. If the Host matches but PathInfo or the Filter Conditions don’t match and/or Operations Configs don’t have matching payload parts, the requests will be passed without any modifications or errors reported.
  9. For PCI compliance, what do I need to redact?
    • For PCI Compliance, the minimum you must redact are the PAN and the CVV/CSC (in Volatile Memory).


  1. We are working on integrating with a third party service that will go through the VGS Platform. This service can only accept connections from a predefined list of whitelisted IP addresses. Can you provide us with the range of IP addresses to whitelist?
    • The sandbox environment will originate requests from,,
    • The live environment will originate requests from,,
  2. Do you have an API to update routes at once?
    • We have an API and command line tool available to aid in the Software Development Life Cycle. Currently, this is an enterprise feature.
  3. I’m getting errors that the host doesn’t match request URL basename. How do I fix this?
    • Make sure to serve the content via the tenant address (https://tenantid.sandbox.verygoodproxy.com). We added X-Forwarded-Host headers for you. (If you are communicating via api (client to server), you don’t need to do this).
  4. Can we use our own vault?
    • Yes, this is an enterprise feature. Contact our sales team to discuss this.
  5. Do we have to send all of our traffic through the VGS?
    • No, you can segment traffic by assigning a custom CNAME such as vault.company.com and then send secure traffic to it.
  6. What is the cost of a single SSL certificate for a custom CNAME?
    • $19.99 / month
  7. Are the wildcard certificates supported, in the current release?
    • Wildcard certificates are currently not supported. Cost per CNAME record is $19.99 a month. Support for wildcard certificates may become available in the upcoming feature releases.
  8. How do we configure our client library using Selenium web driver to work with VGS Platform?
  9. I’m not getting my cookie set and sent thru the VGS Proxy since its on a subdomain. How do I fix my cookies?
    • You would want to use domain and path attribute on the cookie. A good example is located here
  10. I’m getting the following CORS error “Access to XMLHttpRequest at ‘https://tenantid.env.verygoodproxy.com/v3/ssn-token/’ from origin ‘https://xx.verygoodsecurity.com’ has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.” How do I resolve this?
    • Make sure *.verygoodvault.com and *.verygoodproxy.com are on your list of allowed hosts.
    • Verify Access-Control-Allow-Methods is set with GET,PUT,POST,DELETE,OPTIONS, Access-Control-Allow-Headers is set with X-Requested-With,Content-type,Accept,X-Access-Token,X-Key, and Access-Control-Allow-Origin is set to *.


  1. What are the different Alias Formats?
    • We have several different alias formats available dependinng on your use case. Three of which are for Format Preservation and Luhn Validation. We additionally have a numeric length preservering alias and our global alias that will work on all data (strings, multiple strings, arrays/lists etc.) To learn more about our current alias types please check out our documentation.
  2. What are Persistent and Volatile Storage types?
    • Persistent mode aliases will be stored on the database per our data retention policy. Volatile Storage aliases will be stored only for 60 minutes - that is the default value and can be configured within some constraints. It is useful when you cannot keep some information in your system due to compliance but still need to use it for a series of requests. One example would be getting the PIN from a client and using it as a request to third-party service. One important note is that you can only reveal aliases when the storage mode matches. E.g. If you have the operation to redact PIN value with Volatile storage, a reveal operation with Volatile storage will work for that alias but Persistent will not and vice versa.
  3. Do values always resolve to the same redaction alias (e.g. will 123 always be the same alias)?
    • Provided the fingerprinting feature is turned on (default behavior), the values always resolve to the same redaction alias. Fingerprinting can be turned on or off. Alias fingerprinting is enabled by default.
  4. What is the typical message flow?
    • Here you can see our common flow https://g.gravizo.com/svg?@startuml%3Bactor%20User%3Bparticipant%20%22Reverse%5CnVeryGoodProxy%22%20as%20RVGP%3Bparticipant%20%22Tenant%5CnBackend%5CnApp%22%20as%20CBAPP%3Bparticipant%20%22Forward%5CnVeryGoodProxy%22%20as%20FVGP%3Bparticipant%20%223rd%20Party%20Service%22%20as%203PS%3BUser%20-%3E%20RVGP:%20Sends%20request%20with%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22,%20%224111-1111-1111-1111%22%5Cn%7D%3BRVGP%20--%3E%20RVGP:%20Matches%20payload%20with%5Cnreverse%20proxy%20rules%3BRVGP%20--%3E%20RVGP:%20Tokenizes%20%224111-1111-1111-1111%22%5Cninto%20%22tok_abcd1234%22%3BRVGP%20-%3E%20CBAPP:%20Sends%20request%20with%5Cnupdated%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22,%20%22tok_abcd1234%22%5Cn%7D%3B%3BCBAPP%20--%3E%20CBAPP:%20Persists%20%22tok_abcd1234%22%3B====%3BCBAPP%20-%3E%20FVGP:%20Sends%20request%20with%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22:%20%22tok_abcd1234%22,%5Cn%20%20%22data%22:%20%22custom%20data%22%5Cn%7D%3BFVGP%20--%3E%20FVGP:%20Matches%20payload%20with%5Cnforward%20proxy%20rules%3BFVGP%20--%3E%20FVGP:%20Detokenizes%20%22tok_abcd1234%22%5Cnback%20into%20%224111-1111-1111-1111%22%3BFVGP%20-%3E%203PS:%20Sends%20request%20with%20payload:%5Cn%7B%5Cn%20%20%22name%22:%20%22Joe%20Doe%22,%5Cn%20%20%22card%22:%20%224111-1111-1111-1111%22,%5Cn%20%20%22data%22:%20%22custom%20data%22%5Cn%7D%3B@endumlcommon flow
  5. How many IP addresses are are available for IP anonymization?
    • We have approximately 2,000 ip addresses available.
  6. Can the records be removed from the expired cards?
    • Yes, records can be removed upon request and per our data retention policy.
  7. What protective measure have been put in place against the possibility of a DDoS attack?
    • Typical measures include WAF, powered by AWS, and DDoS mitigation at the Layer 3.


  1. Which compliance certifications does VGS have?
    • PCI DSS Level 1, See the Visa PCI service Provider List here. Additionally, we have SOC2 Type 2.


  1. What to do if a customer loses their MFA and gets locked out of their account:
    • The customer contacts support via an email. The email should come from someone other than the person who is locked out for security reasons.
    • The support team resets their MFA;
  2. I keep sending a 16 digit number but Format Preserving Aliases are not working, why not?
    • For format preserving to work, the value must be Luhn valid. If it’s not, you’ll see it redacted using our universal alias format.
  3. I keep seeing CSRF exceptions. How do I work with my particular framework to still enforce CSRF while using VGS.
    • The easiest way to solve this is to check the documentation on your framework. Use it with a reverse proxy (for example NGINX) and configure the settings for CSRF.
  4. How should I use the inbound connection if I have a tightly coupled app (like using template views in Django)?
    • You have a few options, you can use the inbound to load your website through the URL provided during the integration process. Additionally, you can also post data to the URL followed by the path if you do not want to load your site through the service.
  5. How should I use the inbound connection if I have a loosely coupled app (e.g. React front end connecting to a Java backend via API)?
    • The best pattern here is to post the data to the URL provided and then later replace with a CNAME that forwards to your hostname API.
  6. What’s the best pattern for promoting Routes and Filters to the Live (production) environment.
    • We recommend that you use standard development best practices. Use a sandbox for a dev/staging/canary environment and have automated tests and integration tests running on your sandbox (with FAKE data) and once tests pass, then promote to Live. Additionally, we recommend as part of the SDLC to save the configuration in source control (using command line tool, currently for enterprise customers) so that you can easily rollback if the configuration causes side effects not seen in testing.
  7. My data is not revealing on the outbound connection.
    • The most common case for this is that the alias store is usually different OR the alias format is different. (e.g. you redacted it as FP 6_T_4 and are trying to reveal using FP T_4).
  8. I’ve tried everything above, but cannot figure out the error, what do I do?
    • Contact support via email or our in app chat and provide the vgs-request-id with a description of the error you got.