Security Configuration | Contexa Docs

Zero Trust Properties

Properties under security.zerotrust, bound to SecurityZeroTrustProperties. These settings control the Zero Trust decision mode, core thresholds, hot-path handling, cache windows, and request-tracking behavior. HCAD is configured separately under the hcad prefix.

Property	Type	Default	Description
`security.zerotrust`
`.enabled`	`boolean`	`true`	Enable the Zero Trust engine
`.mode`	`SecurityMode`	`ENFORCE`	Execution mode: `SHADOW` (observe) or `ENFORCE` (block)
`.max-block-mfa-attempts`	`int`	`2`	Max MFA attempts allowed when bypassing a block
`security.zerotrust.sampling`
`.rate`	`double`	`1.0`	Request sampling ratio (0.0–1.0)
`security.zerotrust.hotpath`
`.enabled`	`boolean`	`true`	Enable hot-path fast decision
`security.zerotrust.thresholds`
`.skip`	`double`	`0.3`	Skip-evaluation threshold (below this score)
`.optional`	`double`	`0.5`	Optional authentication threshold
`.required`	`double`	`0.7`	Required authentication threshold
`.strict`	`double`	`0.9`	Strict block threshold
`security.zerotrust.protectable`
`.rapid-reentry-window-ms`	`long`	`5000`	Rapid re-entry window for protected resources (ms)
`security.zerotrust.redis`
`.timeout`	`int`	`5`	Redis operation timeout (seconds)
`.update-interval-seconds`	`int`	`30`	Redis state update interval (seconds)
`security.zerotrust.threat`
`.initial`	`double`	`0.3`	Initial threat score
`security.zerotrust.cache`
`.ttl-hours`	`int`	`24`	Decision cache TTL (hours)
`.session-ttl-minutes`	`int`	`30`	Session cache TTL (minutes)
`.invalidated-ttl-minutes`	`int`	`60`	Invalidated cache TTL (minutes)
`security.zerotrust.session`
`.tracking-enabled`	`boolean`	`true`	Enable session tracking

Related: Zero Trust Flow

HCAD Properties

Properties under the hcad prefix, bound to HcadProperties. Configures the Hierarchical Context-Aware Detection (HCAD) filter pipeline and baseline learning.

Property	Type	Default	Description
`hcad`
`.enabled`	`boolean`	`true`	Enable or disable the HCAD filter pipeline.
`.filter-order`	`int`	`100`	HCAD filter order in the servlet filter chain.
`hcad.resource`
`.sensitive-patterns`	`List<String>`	`[]`	URL patterns for sensitive resources requiring enhanced analysis.
`hcad.analysis`
`.max-age-ms`	`long`	`3600000`	Maximum age (ms) for cached analysis results.
`hcad.threshold`
`.base`	`double`	`0.7`	Base anomaly detection threshold.
`.min`	`double`	`0.3`	Minimum threshold after adaptive adjustment.
`.max`	`double`	`0.95`	Maximum threshold after adaptive adjustment.
`.adjustment-rate`	`double`	`0.01`	Rate of threshold adaptation per feedback cycle.
`.sensitivity`	`double`	`1.0`	Global sensitivity multiplier for detection.
`.warn`	`double`	`0.7`	Warning threshold before block action.
`hcad.cache`
`.max-size`	`int`	`100000`	Maximum number of cached analysis entries.
`.ttl-ms`	`long`	`300000`	Cache entry time-to-live in milliseconds.
`.clear-on-startup`	`boolean`	`false`	Clear all cache entries on application startup.
`.local.ttl-minutes`	`int`	`10`	Local cache TTL in minutes.
`hcad.baseline`
`.min-confidence`	`double`	`0.3`	Minimum confidence for baseline data.
`.update-alpha`	`double`	`0.1`	Exponential moving average alpha for baseline updates.
`.learning.enabled`	`boolean`	`true`	Enable baseline learning from live traffic.
`.learning.alpha`	`double`	`0.1`	Online baseline adaptation learning rate.
`.bootstrap.enabled`	`boolean`	`true`	Enable bootstrap mode for initial baseline building.
`.bootstrap.initial-samples`	`int`	`10`	Number of initial samples required before enforcement.
`.bootstrap.max-anomaly-score`	`double`	`0.85`	Maximum anomaly score during bootstrap phase.
`.statistical.enabled`	`boolean`	`true`	Enable statistical baseline analysis.
`.statistical.min-samples`	`int`	`20`	Minimum samples for statistical analysis.
`.statistical.z-score-threshold`	`double`	`3.0`	Z-score threshold for outlier detection.
`.redis.ttl-days`	`int`	`30`	Redis baseline data TTL in days.
`hcad.feedback`
`.learning-rate`	`double`	`0.1`	Feedback loop learning rate for threshold adjustment.
`.retrain-threshold`	`double`	`0.7`	Accuracy threshold triggering model retrain.
`.window-size`	`int`	`1000`	Sliding window size for feedback collection.
`hcad.orchestrator`
`.enabled`	`boolean`	`true`	Enable the HCAD orchestrator for coordinated analysis.
`.feedback-interval`	`int`	`300`	Feedback processing interval in seconds.
`.sync-batch-size`	`int`	`50`	Batch size for baseline synchronization.
`hcad.vector`
`.embedding-dimension`	`int`	`384`	Embedding vector dimension for behavioral analysis.
`.similarity-threshold`	`double`	`0.85`	Similarity threshold for behavioral pattern matching.
`.scenario-detection-enabled`	`boolean`	`true`	Enable scenario-based anomaly detection via vectors.
`hcad.session`
`.cookie-name`	`String`	`JSESSIONID`	Session cookie name for HCAD tracking.
`.header-name`	`String`	`X-Session-Id`	Header name for session ID in stateless mode.
`hcad.signal`
`.chi-square-threshold`	`double`	`14.07`	Chi-square threshold for signal anomaly detection.
`.history-size`	`int`	`100`	Number of historical signals to retain.
`.geoip.provider`	`String`	`api`	GeoIP provider: `api` or `local`.
`hcad.adaptive`
`.adjustment-rate`	`double`	`0.1`	Adaptive threshold adjustment rate.
`.cusum.threshold`	`double`	`5.0`	CUSUM change-point detection threshold.
`.cusum.slack`	`double`	`0.5`	CUSUM slack parameter for drift tolerance.
`.baseline.window`	`int`	`100`	Adaptive baseline window size.
`hcad.geoip`
`.enabled`	`boolean`	`false`	Enable GeoIP-based location analysis.
`.db-path`	`String`	`data/GeoLite2-City.mmdb`	Path to MaxMind GeoLite2 database file.
`hcad.redis`
`.key-prefix`	`String`	`hcad:baseline:v2:`	Redis key prefix for HCAD baseline data.

Additional HCAD Fields in Current OSS Code

Property	Default	Description
`hcad.baseline.statistical.update-interval`	`10`	Refresh interval for the statistical baseline.
`hcad.feedback.baseline.update-threshold`	`0.95`	Threshold for writing feedback into the learned baseline.
`hcad.orchestrator.performance-tracking`	`true`	Enable orchestrator performance tracking.
`hcad.vector.cache-ttl-hours`	`24`	TTL for cached behavioral embeddings.
`hcad.vector.max-cached-embeddings`	`1000`	Maximum cached embedding entries.
`hcad.signal.covariance.min-samples`	`30`	Minimum samples for covariance analysis.
`hcad.signal.geoip.api-url`	`https://ipapi.co/{ip}/json/`	Remote GeoIP API template.
`hcad.signal.timing.bucket-count`	`7`	Timing bucket count.
`hcad.signal.timing.interval.history-size`	`100`	Timing interval history size.
`hcad.sampling.random.floor`	`0.01`	Minimum random sampling rate.
`hcad.sampling.random.ceiling`	`0.03`	Maximum random sampling rate.
`hcad.sampling.composite.identifier.enabled`	`true`	Enable composite identifier sampling.
`hcad.similarity.hot-path-threshold`	`0.7`	Similarity threshold used by hot-path decisions.
`hcad.adaptive.min.trust.score`	`0.7`	Minimum trust score used by adaptive controls.
`hcad.pre-trigger.enabled`	`true`	Enable pre-trigger heuristics before full analysis.
`hcad.pre-trigger.cooldown-seconds`	`15`	Cooldown for repeated pre-triggers.
`hcad.pre-trigger.in-flight-ttl-seconds`	`15`	TTL for in-flight pre-trigger markers.
`hcad.pre-trigger.negative-cache-seconds`	`3`	Negative cache lifetime.
`hcad.pre-trigger.redline-score`	`70`	Redline score threshold.
`hcad.pre-trigger.high-risk-score`	`50`	High-risk score threshold.
`hcad.pre-trigger.medium-risk-score`	`30`	Medium-risk score threshold.
`hcad.pre-trigger.low-baseline-confidence-threshold`	`0.35`	Low baseline confidence threshold.
`hcad.pre-trigger.failed-login-burst-threshold`	`3`	Failed-login burst threshold.
`hcad.pre-trigger.request-burst-threshold`	`12`	Request burst threshold.
`hcad.pre-trigger.rapid-request-interval-ms`	`1000`	Rapid-request interval window.
`hcad.pre-trigger.sensitive-path-indicators`	`[/admin/, /export, /download, /sensitive/, /critical/]`	Sensitive path indicators (substring match).

Example Configuration

YAML

hcad:
  enabled: true
  filter-order: 100
  resource:
    sensitive-patterns:
      - /admin/api/security-test/sensitive/**
      - /admin/api/security-test/critical/**
  threshold:
    base: 0.7
    sensitivity: 1.0
  baseline:
    learning:
      enabled: true
      alpha: 0.1
    bootstrap:
      enabled: true
      initial-samples: 10
  geoip:
    enabled: false
    db-path: data/GeoLite2-City.mmdb

Security Plane Properties

Properties under security.plane, bound to SecurityPlaneProperties. The class configures the distributed security-plane agent, Kafka topics, Redis relay settings, monitoring batches, deduplication windows, and the LLM executor pool used by asynchronous security analysis.

Property	Type	Default	Description
`security.plane.agent`
`.name`	`String`	`SecurityPlaneAgent-1`	Agent instance name
`.auto-start`	`boolean`	`true`	Auto-starts the agent on boot
`.organization-id`	`String`	`default-org`	Organization identifier for distributed deployments
`.execution-mode`	`String`	`ASYNC`	Agent execution mode
`.auto-approve-low-risk`	`boolean`	`false`	Automatically approves low-risk decisions when enabled
`.event-timeout-ms`	`long`	`30000`	Per-event processing timeout
`.max-deferred-retries`	`int`	`3`	Deferred retry limit for agent processing
`security.plane.kafka`
`.bootstrap-servers`	`String`	`localhost:9092`	Kafka bootstrap servers
`.group-id`	`String`	`security-plane-consumer`	Kafka consumer group id
`.topics.security-events`	`String`	`security-events`	Security event topic
`.topics.threat-indicators`	`String`	`threat-indicators`	Threat indicator topic
`.topics.network-events`	`String`	`network-events`	Network event topic
`.topics.auth-events`	`String`	`auth-events`	Authentication event topic
`security.plane.monitor`
`.queue-size`	`int`	`10000`	Event queue capacity
`.batch-size`	`int`	`8`	Monitoring batch size
`.flush-interval-ms`	`long`	`500`	Batch flush interval
`.correlation-window-minutes`	`int`	`10`	Correlation window size
`.dedup-window-minutes`	`int`	`5`	Deduplication time window
`security.plane.notifier`
`.batch-size`	`int`	`10`	Notification batch size
`.async-enabled`	`boolean`	`true`	Enable async notification dispatch
`.critical-threshold`	`double`	`0.8`	Critical alert threshold
`security.plane.redis`
`.batch-size`	`int`	`50`	Redis publish batch size
`.cache.ttl-minutes`	`int`	`60`	Redis relay cache TTL
`.channel.security-events`	`String`	`security:events`	Redis security event channel
`.channel.threat-alerts`	`String`	`security:threats`	Redis threat alert channel
`security.plane.llm-executor`
`.core-pool-size`	`int`	`2`	Core thread pool size for LLM analysis
`.max-pool-size`	`int`	`2`	Maximum thread pool size for LLM analysis
`.queue-capacity`	`int`	`50`	Queue capacity for pending LLM work
`security.plane.deduplication`
`.enabled`	`boolean`	`true`	Deduplication toggle
`.window-minutes`	`int`	`5`	Deduplication window size
`.cache-size`	`int`	`10000`	Deduplication cache size

YAML

security:
  plane:
    agent:
      name: SecurityPlaneAgent-1
      auto-start: true
      organization-id: default-org
      execution-mode: ASYNC
      auto-approve-low-risk: false
      event-timeout-ms: 30000
      max-deferred-retries: 3
    llm-executor:
      core-pool-size: 2
      max-pool-size: 2
      queue-capacity: 50
    deduplication:
      enabled: true
      window-minutes: 5
      cache-size: 10000

Related: Zero Trust Flow, SOAR Reference

Session Security Properties

Properties under security.session, bound to SecuritySessionProperties. The OSS class configures token creation, header and bearer token extraction, hijack notification wiring, cookie naming, and risk thresholds used by session anomaly evaluation.

Property	Type	Default	Description
`security.session.create.allowed`	`boolean`	`true`	Allows session/token creation
`security.session.header.name`	`String`	`X-Auth-Token`	Header name for token transport
`security.session.bearer.enabled`	`boolean`	`true`	Enables bearer token parsing
`security.session.cookie.name`	`String`	`SESSION`	Cookie name used for session transport
`security.session.hijack.channel`	`String`	`security:session:hijack:event`	Hijack event channel name
`security.session.hijack.detection.enabled`	`boolean`	`true`	Hijack detection toggle
`security.session.threat.ip-change-risk`	`double`	`0.4`	Risk contribution for IP changes
`security.session.threat.ua-change-risk`	`double`	`0.3`	Risk contribution for user-agent changes
`security.session.threat.rapid-access-threshold-ms`	`int`	`100`	Rapid-access threshold window
`security.session.threat.rapid-access-risk`	`double`	`0.2`	Risk contribution for rapid access bursts
`security.session.threat.thresholds.monitoring`	`double`	`0.5`	Monitoring threshold
`security.session.threat.thresholds.grace-period`	`double`	`0.7`	Grace-period threshold
`security.session.threat.thresholds.invalidation`	`double`	`0.9`	Invalidation threshold

Related: State Management Reference

Router Properties

Properties under security.router, bound to SecurityRouterProperties. Defines the score thresholds used when routing security events (SOAR automation / block / analysis confidence / pass-through).

Property	Type	Default	Description
`security.router.threshold`
`.soar`	`double`	`0.9`	SOAR automated response threshold
`.block`	`double`	`0.8`	Block decision threshold
`.analysis-confidence`	`double`	`0.6`	Analysis result acceptance confidence
`.pass-through`	`double`	`0.6`	Pass-through allowance threshold

Event Properties

Properties under security.event, bound to SecurityEventProperties. Configures event publishing gates, the asynchronous executor pool, per-tier latency budgets, and the deduplication cache.

Property	Type	Default	Description
`security.event.publishing`
`.enabled`	`boolean`	`true`	Enable event publishing
`.exclude-uris`	`String`	`/actuator,/health,/metrics`	Comma-separated URI prefixes excluded from publishing
`.anonymous.enabled`	`boolean`	`true`	Enable event publishing for anonymous users
`security.event.executor`
`.core-pool-size`	`int`	`cores × 2`	Core thread pool size for event processing
`.max-pool-size`	`int`	`cores × 4`	Maximum thread pool size
`.queue-capacity`	`int`	`10000`	Pending event queue capacity
`security.event.tier`
`.critical.max-latency-ms`	`int`	`100`	Latency budget for critical events (ms)
`.contextual.max-latency-ms`	`int`	`1000`	Latency budget for contextual events (ms)
`.general.max-latency-ms`	`int`	`10000`	Latency budget for general events (ms)
`.general.sampling-rate`	`double`	`0.1`	General event sampling rate
`security.event.deduplication`
`.enabled`	`boolean`	`true`	Enable deduplication
`.window-minutes`	`int`	`5`	Deduplication window (minutes)
`.cache-size`	`int`	`10000`	Deduplication cache size

Cold-Path Properties

Properties under security.coldpath, bound to SecurityColdPathProperties. Defines per-layer baseline confidence values for the asynchronous LLM analysis path.

Property	Type	Default	Description
`security.coldpath.confidence`
`.layer1-base`	`double`	`0.5`	Base confidence for layer-1 analysis
`.layer2-base`	`double`	`0.7`	Base confidence for layer-2 analysis

Pipeline Properties

Properties under security.pipeline, bound to SecurityPipelineProperties. Configures the Redis · Kafka transport channels of the security event pipeline.

Property	Type	Default	Description
`security.pipeline.kafka`
`.topic`	`String`	`security-events`	Kafka topic the pipeline publishes to

Note: security.pipeline.redis is an empty marker group. Actual Redis behavior is configured under security.plane.redis and security.zerotrust.redis.