Security Configuration

Configuration properties for the Contexa security engine, including Zero Trust, HCAD detection, and SecurityPlane agent settings.

Zero Trust Properties

Properties under contexa.security.zerotrust, bound to SecurityZeroTrustProperties. These settings control the Zero Trust decision mode, core thresholds, hot-path handling, cache windows, and request-tracking behavior. HCAD is configured separately under the hcad prefix.

PropertyTypeDefaultDescription
contexa.security.zerotrust
.enabledbooleantrueEnable the Zero Trust engine
.modeSecurityModeENFORCEExecution mode: SHADOW (observe) or ENFORCE (block)
.max-block-mfa-attemptsint2Max MFA attempts allowed when bypassing a block
contexa.security.zerotrust.sampling
.ratedouble1.0Request sampling ratio (0.0–1.0)
contexa.security.zerotrust.hotpath
.enabledbooleantrueEnable hot-path fast decision
contexa.security.zerotrust.thresholds
.skipdouble0.3Skip-evaluation threshold (below this score)
.optionaldouble0.5Optional authentication threshold
.requireddouble0.7Required authentication threshold
.strictdouble0.9Strict block threshold
contexa.security.zerotrust.protectable
.rapid-reentry-window-mslong5000Rapid re-entry window for protected resources (ms)
contexa.security.zerotrust.redis
.timeoutint5Redis operation timeout (seconds)
.update-interval-secondsint30Redis state update interval (seconds)
contexa.security.zerotrust.threat
.initialdouble0.3Initial threat score
contexa.security.zerotrust.cache
.ttl-hoursint24Decision cache TTL (hours)
.session-ttl-minutesint30Session cache TTL (minutes)
.invalidated-ttl-minutesint60Invalidated cache TTL (minutes)
contexa.security.zerotrust.session
.tracking-enabledbooleantrueEnable session tracking

Related: Zero Trust Flow

HCAD Properties

Properties under the hcad prefix, bound to HcadProperties. Configures the Hierarchical Context-Aware Detection (HCAD) filter pipeline and baseline learning.

Property Type Default Description
hcad
.enabled boolean true Enable or disable the HCAD filter pipeline.
.filter-order int 100 HCAD filter order in the servlet filter chain.
hcad.resource
.sensitive-patterns List<String> [] URL patterns for sensitive resources requiring enhanced analysis.
hcad.analysis
.max-age-ms long 3600000 Maximum age (ms) for cached analysis results.
hcad.threshold
.base double 0.7 Base anomaly detection threshold.
.min double 0.3 Minimum threshold after adaptive adjustment.
.max double 0.95 Maximum threshold after adaptive adjustment.
.adjustment-rate double 0.01 Rate of threshold adaptation per feedback cycle.
.sensitivity double 1.0 Global sensitivity multiplier for detection.
.warn double 0.7 Warning threshold before block action.
hcad.cache
.max-size int 100000 Maximum number of cached analysis entries.
.ttl-ms long 300000 Cache entry time-to-live in milliseconds.
.clear-on-startup boolean false Clear all cache entries on application startup.
.local.ttl-minutes int 10 Local cache TTL in minutes.
hcad.baseline
.min-confidence double 0.3 Minimum confidence for baseline data.
.update-alpha double 0.1 Exponential moving average alpha for baseline updates.
.learning.enabled boolean true Enable baseline learning from live traffic.
.learning.alpha double 0.1 Online baseline adaptation learning rate.
.bootstrap.enabled boolean true Enable bootstrap mode for initial baseline building.
.bootstrap.initial-samples int 10 Number of initial samples required before enforcement.
.bootstrap.max-anomaly-score double 0.85 Maximum anomaly score during bootstrap phase.
.statistical.enabled boolean true Enable statistical baseline analysis.
.statistical.min-samples int 20 Minimum samples for statistical analysis.
.statistical.z-score-threshold double 3.0 Z-score threshold for outlier detection.
.redis.ttl-days int 30 Redis baseline data TTL in days.
hcad.feedback
.learning-rate double 0.1 Feedback loop learning rate for threshold adjustment.
.retrain-threshold double 0.7 Accuracy threshold triggering model retrain.
.window-size int 1000 Sliding window size for feedback collection.
hcad.orchestrator
.enabled boolean true Enable the HCAD orchestrator for coordinated analysis.
.feedback-interval int 300 Feedback processing interval in seconds.
.sync-batch-size int 50 Batch size for baseline synchronization.
hcad.vector
.embedding-dimension int 384 Embedding vector dimension for behavioral analysis.
.similarity-threshold double 0.85 Similarity threshold for behavioral pattern matching.
.scenario-detection-enabled boolean true Enable scenario-based anomaly detection via vectors.
hcad.session
.cookie-name String JSESSIONID Session cookie name for HCAD tracking.
.header-name String X-Session-Id Header name for session ID in stateless mode.
hcad.signal
.chi-square-threshold double 14.07 Chi-square threshold for signal anomaly detection.
.history-size int 100 Number of historical signals to retain.
.geoip.provider String api GeoIP provider: api or local.
hcad.adaptive
.adjustment-rate double 0.1 Adaptive threshold adjustment rate.
.cusum.threshold double 5.0 CUSUM change-point detection threshold.
.cusum.slack double 0.5 CUSUM slack parameter for drift tolerance.
.baseline.window int 100 Adaptive baseline window size.
hcad.geoip
.enabled boolean false Enable GeoIP-based location analysis.
.db-path String data/GeoLite2-City.mmdb Path to MaxMind GeoLite2 database file.
hcad.redis
.key-prefix String hcad:baseline:v2: Redis key prefix for HCAD baseline data.

Additional HCAD Fields in Current OSS Code

PropertyDefaultDescription
hcad.baseline.statistical.update-interval10Refresh interval for the statistical baseline.
hcad.feedback.baseline.update-threshold0.95Threshold for writing feedback into the learned baseline.
hcad.orchestrator.performance-trackingtrueEnable orchestrator performance tracking.
hcad.vector.cache-ttl-hours24TTL for cached behavioral embeddings.
hcad.vector.max-cached-embeddings1000Maximum cached embedding entries.
hcad.signal.covariance.min-samples30Minimum samples for covariance analysis.
hcad.signal.geoip.api-urlhttps://ipapi.co/{ip}/json/Remote GeoIP API template.
hcad.signal.timing.bucket-count7Timing bucket count.
hcad.signal.timing.interval.history-size100Timing interval history size.
hcad.sampling.random.floor0.01Minimum random sampling rate.
hcad.sampling.random.ceiling0.03Maximum random sampling rate.
hcad.sampling.composite.identifier.enabledtrueEnable composite identifier sampling.
hcad.similarity.hot-path-threshold0.7Similarity threshold used by hot-path decisions.
hcad.adaptive.min.trust.score0.7Minimum trust score used by adaptive controls.
hcad.pre-trigger.enabledtrueEnable pre-trigger heuristics before full analysis.
hcad.pre-trigger.cooldown-seconds15Cooldown for repeated pre-triggers.
hcad.pre-trigger.in-flight-ttl-seconds15TTL for in-flight pre-trigger markers.
hcad.pre-trigger.negative-cache-seconds3Negative cache lifetime.
hcad.pre-trigger.redline-score70Redline score threshold.
hcad.pre-trigger.high-risk-score50High-risk score threshold.
hcad.pre-trigger.medium-risk-score30Medium-risk score threshold.
hcad.pre-trigger.low-baseline-confidence-threshold0.35Low baseline confidence threshold.
hcad.pre-trigger.failed-login-burst-threshold3Failed-login burst threshold.
hcad.pre-trigger.request-burst-threshold12Request burst threshold.
hcad.pre-trigger.rapid-request-interval-ms1000Rapid-request interval window.
hcad.pre-trigger.sensitive-path-indicators[/admin/, /export, /download, /sensitive/, /critical/]Sensitive path indicators (substring match).

Example Configuration

YAML
hcad:
  enabled: true
  filter-order: 100
  resource:
    sensitive-patterns:
      - /admin/api/security-test/sensitive/**
      - /admin/api/security-test/critical/**
  threshold:
    base: 0.7
    sensitivity: 1.0
  baseline:
    learning:
      enabled: true
      alpha: 0.1
    bootstrap:
      enabled: true
      initial-samples: 10
  geoip:
    enabled: false
    db-path: data/GeoLite2-City.mmdb

Session Security Properties

Properties under contexa.security.session, bound to SecuritySessionProperties. The OSS class configures token creation, header and bearer token extraction, hijack notification wiring, cookie naming, and risk thresholds used by session anomaly evaluation.

Property Type Default Description
contexa.security.session.create.allowedbooleantrueAllows session/token creation
contexa.security.session.header.nameStringX-Auth-TokenHeader name for token transport
contexa.security.session.bearer.enabledbooleantrueEnables bearer token parsing
contexa.security.session.cookie.nameStringSESSIONCookie name used for session transport
contexa.security.session.hijack.channelStringsecurity:session:hijack:eventHijack event channel name
contexa.security.session.hijack.detection.enabledbooleantrueHijack detection toggle
contexa.security.session.threat.ip-change-riskdouble0.4Risk contribution for IP changes
contexa.security.session.threat.ua-change-riskdouble0.3Risk contribution for user-agent changes
contexa.security.session.threat.rapid-access-threshold-msint100Rapid-access threshold window
contexa.security.session.threat.rapid-access-riskdouble0.2Risk contribution for rapid access bursts
contexa.security.session.threat.thresholds.monitoringdouble0.5Monitoring threshold
contexa.security.session.threat.thresholds.grace-perioddouble0.7Grace-period threshold
contexa.security.session.threat.thresholds.invalidationdouble0.9Invalidation threshold

Related: State Management Reference

Step-Up Properties

Properties under contexa.security.stepup, bound to SecurityStepUpProperties. Defines the maximum authentication attempts and lock duration for step-up auth during high-risk actions that require multi-factor authentication (MFA) or extra approval.

PropertyTypeDefaultDescription
contexa.security.stepup
.max-attemptsint3Maximum attempts allowed for step-up auth.
.lockout-durationint300Account lockout duration (seconds) upon exceeding max attempts.

Decision Plane Properties

Properties under contexa.saas, controlling integration with the Contexa SaaS Decision Plane. Configures endpoint, intervals, retry policy, and OAuth2 client settings for forwarding local decisions, feedback, and telemetry data to the remote cloud plane.

PropertyTypeDefaultDescription
contexa.saas
.enabledbooleanfalseEnables decision forwarding to SaaS Decision Plane.
.endpointStringhttps://saas.ctxa.aiSaaS Decision Plane base endpoint URL.
.include-reasoningbooleanfalseIncludes decision logic/reasoning in forwarded payloads.
.include-raw-analysis-databooleanfalseIncludes raw analysis data in forwarded payloads.
.outbox-batch-sizeint50Outbox event batch size.
.max-retry-attemptsint10Maximum attempts for retrying failed dispatches.
.retry-initial-backoff-mslong1000Initial backoff delay in milliseconds.
.retry-max-backoff-mslong60000Maximum backoff delay in milliseconds.
.dispatch-interval-mslong30000Outbox dispatch interval in milliseconds.
.pseudonymization-secretStringdefault-dev-secret-change-in-prodSecret key used for pseudonymizing data.
.global-correlation-secretStringdefault-dev-correlation-secretSecret key used for generating global correlation IDs.
contexa.saas.oauth2
.enabledbooleantrueEnables OAuth2 integration.
.registration-idStringcontexa-saas-clientOAuth2 client registration ID.
.token-uriStringhttps://saas.ctxa.ai/oauth2/tokenOAuth2 token request URI.
.client-idStringdev-clientOAuth2 client ID.
.client-secretStringdev-secretOAuth2 client secret.
.scopeStringsaas.xai.decision.ingest,...Comma-separated OAuth2 scopes requested.
.expiry-skew-secondsint30Clock skew buffer (seconds) for token expiry detection.

Distributed Enforcement Properties

Properties under contexa.security.tiered, bound to TieredStrategyProperties. Configures tiered security analysis and enforcement policies between the local agent and cloud/remote agents. Fine-tunes active tiers, truncation parameters, vector search limits, and timeout thresholds.

PropertyTypeDefaultDescription
contexa.security.tiered
.enabledbooleantrueEnables the tiered analysis strategy.
.native-structured-output-enabledbooleantrueLeverages native structured JSON schemas supported by LLMs.
.telemetry-enabledbooleantrueEnables tiered security telemetry.
.trusted-proxy-validation-enabledbooleantrueEnables validation of trusted proxy IPs.
contexa.security.tiered.layer1 / layer2 (Layer configurations)
.layer1.enabledbooleantrueEnables layer-1 (local fast check) analysis.
.layer1.default-budget-profileStringCORTEX_L1_INTERACTIVE_STRICTResource budget profile for layer-1.
.layer2.enabledbooleanfalseEnables layer-2 (cloud deep check) analysis.
.layer2.default-budget-profileStringCORTEX_L2_EXPERT_STRICTResource budget profile for layer-2.
.layer2.enable-soarbooleanfalseAutomatically triggers SOAR actions based on layer-2 decisions.
contexa.security.tiered.security (Decision fine-tuning)
.security.vector-search-limitint3Maximum database matches for similar decision vectors.
.security.max-similar-eventsint2Maximum past events matched to detect attack scenarios.
.security.max-rag-documentsint3Maximum documents injected via RAG to enrich decision context.
.security.timeout-mslong7000Timeout in milliseconds for remote layer-2 requests.