Module de.cuioss.http

Package de.cuioss.http.security.config

Class SecurityConfiguration

java.lang.Object

de.cuioss.http.security.config.SecurityConfiguration

public final class SecurityConfiguration
extends Object

Immutable class representing comprehensive security configuration for HTTP validation.

This class encapsulates all security policies and settings needed to configure HTTP security validators. It provides a type-safe, immutable configuration object that can be shared across multiple validation operations.

Design Principles

• Immutability - Configuration cannot be modified once created
• Type Safety - Strongly typed configuration parameters
• Completeness - Covers all aspects of HTTP security validation
• Composability - Easy to combine with builder patterns
• Performance - Pre-processes sets for O(1) case-insensitive lookups

Configuration Categories

• Path Security - Path traversal prevention, allowed patterns
• Parameter Security - Query parameter validation rules
• Header Security - HTTP header validation policies
• Cookie Security - Cookie validation and security requirements
• Body Security - Request/response body validation settings
• Encoding Security - URL encoding and character validation
• Length Limits - Size restrictions for various HTTP components
• General Policies - Cross-cutting security concerns

Usage Examples

 // Create with builder
 SecurityConfiguration config = SecurityConfiguration.builder()
     .maxPathLength(2048)
     .allowPathTraversal(false)
     .maxParameterCount(100)
     .requireSecureCookies(true)
     .build();

 // Use in validation
 PathValidator validator = new PathValidator(config);
 validator.validate("/api/users/123");

 // Create restrictive configuration
 SecurityConfiguration strict = SecurityConfiguration.strict();

 // Create permissive configuration
 SecurityConfiguration lenient = SecurityConfiguration.lenient();
 

Implements: Task C1 from HTTP verification specification

Since:

1.0

See Also:

• SecurityConfigurationBuilder

Method Summary

Modifier and Type	Method	Description
boolean	allowControlCharacters()
boolean	allowDoubleEncoding()
@Nullable Set<String>	allowedContentTypes()
@Nullable Set<String>	allowedHeaderNames()
boolean	allowExtendedAscii()
boolean	allowNullBytes()
boolean	allowPathTraversal()
Set<String>	blockedContentTypes()
Set<String>	blockedHeaderNames()
static SecurityConfigurationBuilder	builder()	Creates a builder for constructing SecurityConfiguration instances.
boolean	caseSensitiveComparison()
static SecurityConfiguration	defaults()	Creates a security configuration with default balanced settings.
boolean	equals(Object obj)
boolean	failOnSuspiciousPatterns()
int	hashCode()
boolean	isContentTypeAllowed(@Nullable String contentType)	Checks if the configuration allows a specific content type.
boolean	isHeaderAllowed(@Nullable String headerName)	Checks if the configuration allows a specific header name.
boolean	isLenient()	Checks if this configuration is considered "lenient" based on key security settings.
boolean	isStrict()	Checks if this configuration is considered "strict" based on key security settings.
static SecurityConfiguration	lenient()	Creates a lenient security configuration for maximum compatibility.
boolean	logSecurityViolations()
long	maxBodySize()
int	maxCookieCount()
int	maxCookieNameLength()
int	maxCookieValueLength()
int	maxHeaderCount()
int	maxHeaderNameLength()
int	maxHeaderValueLength()
int	maxParameterCount()
int	maxParameterNameLength()
int	maxParameterValueLength()
int	maxPathLength()
boolean	normalizeUnicode()
boolean	requireHttpOnlyCookies()
boolean	requireSecureCookies()
static SecurityConfiguration	strict()	Creates a strict security configuration with tight restrictions.
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Details

builder

public static SecurityConfigurationBuilder builder()

Creates a builder for constructing SecurityConfiguration instances.

Returns:

A new SecurityConfigurationBuilder with default values

strict

public static SecurityConfiguration strict()

Creates a strict security configuration with tight restrictions. This configuration prioritizes security over compatibility.

Returns:

A SecurityConfiguration with strict security policies

lenient

public static SecurityConfiguration lenient()

Creates a lenient security configuration for maximum compatibility. This configuration should only be used in trusted environments.

Returns:

A SecurityConfiguration with permissive policies

defaults

public static SecurityConfiguration defaults()

Creates a security configuration with default balanced settings.

Returns:

A SecurityConfiguration with default security policies

isHeaderAllowed

public boolean isHeaderAllowed(@Nullable String headerName)

Checks if the configuration allows a specific header name.

Parameters:

headerName - The header name to check (null returns false)

Returns:

true if the header is allowed, false if blocked or null

isContentTypeAllowed

public boolean isContentTypeAllowed(@Nullable String contentType)

Checks if the configuration allows a specific content type.

Parameters:

contentType - The content type to check (null returns false)

Returns:

true if the content type is allowed, false if blocked or null

isStrict

public boolean isStrict()

Checks if this configuration is considered "strict" based on key security settings.

Returns:

true if this configuration uses strict security policies

isLenient

public boolean isLenient()

Checks if this configuration is considered "lenient" based on key security settings.

Returns:

true if this configuration uses lenient security policies

maxPathLength

public int maxPathLength()

allowPathTraversal

public boolean allowPathTraversal()

allowDoubleEncoding

public boolean allowDoubleEncoding()

maxParameterCount

public int maxParameterCount()

maxParameterNameLength

public int maxParameterNameLength()

maxParameterValueLength

public int maxParameterValueLength()

maxHeaderCount

public int maxHeaderCount()

maxHeaderNameLength

public int maxHeaderNameLength()

maxHeaderValueLength

public int maxHeaderValueLength()

allowedHeaderNames

public @Nullable Set<String> allowedHeaderNames()

blockedHeaderNames

public Set<String> blockedHeaderNames()

maxCookieCount

public int maxCookieCount()

maxCookieNameLength

public int maxCookieNameLength()

maxCookieValueLength

public int maxCookieValueLength()

requireSecureCookies

public boolean requireSecureCookies()

requireHttpOnlyCookies

public boolean requireHttpOnlyCookies()

maxBodySize

public long maxBodySize()

allowedContentTypes

public @Nullable Set<String> allowedContentTypes()

blockedContentTypes

public Set<String> blockedContentTypes()

allowNullBytes

public boolean allowNullBytes()

allowControlCharacters

public boolean allowControlCharacters()

allowExtendedAscii

public boolean allowExtendedAscii()

normalizeUnicode

public boolean normalizeUnicode()

caseSensitiveComparison

public boolean caseSensitiveComparison()

failOnSuspiciousPatterns

public boolean failOnSuspiciousPatterns()

logSecurityViolations

public boolean logSecurityViolations()

equals

public boolean equals(Object obj)

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

toString

public String toString()

Overrides:

toString in class Object