Module de.cuioss.http
Package de.cuioss.http.security.config
@NullMarked
package de.cuioss.http.security.config
Configuration management for HTTP security validation.
This package provides immutable configuration objects and builders for customizing the behavior of HTTP security validation. All configuration follows secure-by-default principles with OWASP and RFC-based default values.
Configuration Components
SecurityConfiguration- Main immutable configuration recordSecurityConfigurationBuilder- Builder for flexible configuration creationSecurityDefaults- Default values and constants
Configuration Categories
- Length Limits - Maximum input lengths for different component types
- Character Sets - Allowed characters for validation types
- Security Levels - Predefined security strictness levels (STRICT, DEFAULT, LENIENT)
- Feature Toggles - Enable/disable specific validation features
- Pattern Configuration - Custom attack pattern definitions
Usage Example
// Use secure defaults
SecurityConfiguration defaultConfig = SecurityConfiguration.defaults();
// Custom configuration
SecurityConfiguration customConfig = SecurityConfiguration.builder()
.maxPathLength(2048)
.maxParameterValueLength(8192)
.securityLevel(SecurityLevel.STRICT)
.pathTraversalDetectionEnabled(true)
.doubleEncodingDetectionEnabled(true)
.build();
// Configuration is immutable after creation
assert customConfig.maxPathLength() == 2048;
Secure Defaults
All default values are based on security best practices:
- Conservative length limits to prevent DoS attacks
- Strict character validation based on RFC specifications
- All security features enabled by default
- Maximum security level as the default
Package Nullability
This package follows strict nullability conventions using JSpecify annotations:
- All parameters and return values are non-null by default
- Nullable parameters and return values are explicitly annotated with
@Nullable
- Since:
- 1.0
- See Also:
-
ClassesClassDescriptionImmutable class representing comprehensive security configuration for HTTP validation.Builder class for constructing
SecurityConfigurationinstances with fluent API.Comprehensive collection of default values and constants for HTTP security configuration.