Security Configuration
Configuration properties for the Contexa security engine, including Zero Trust, HCAD detection, and SecurityPlane agent settings.
Zero Trust Properties
Properties under security.zerotrust, bound to SecurityZeroTrustProperties. These settings control the Zero Trust decision mode, core thresholds, hot-path handling, cache windows, and request-tracking behavior. HCAD is configured separately under the hcad prefix.
See the full property reference on the main Configuration page.
Related: Zero Trust Flow
HCAD Properties
Properties under the hcad prefix, bound to HcadProperties. Configures the Hierarchical Context-Aware Detection (HCAD) filter pipeline and baseline learning.
| Property | Type | Default | Description |
|---|---|---|---|
hcad | |||
.enabled |
boolean |
true |
Enable or disable the HCAD filter pipeline. |
.filter-order |
int |
100 |
HCAD filter order in the servlet filter chain. |
hcad.resource | |||
.sensitive-patterns |
List<String> |
[] |
URL patterns for sensitive resources requiring enhanced analysis. |
hcad.analysis | |||
.max-age-ms |
long |
3600000 |
Maximum age (ms) for cached analysis results. |
hcad.threshold | |||
.base |
double |
0.7 |
Base anomaly detection threshold. |
.min |
double |
0.3 |
Minimum threshold after adaptive adjustment. |
.max |
double |
0.95 |
Maximum threshold after adaptive adjustment. |
.adjustment-rate |
double |
0.01 |
Rate of threshold adaptation per feedback cycle. |
.sensitivity |
double |
1.0 |
Global sensitivity multiplier for detection. |
.warn |
double |
0.7 |
Warning threshold before block action. |
hcad.cache | |||
.max-size |
int |
100000 |
Maximum number of cached analysis entries. |
.ttl-ms |
long |
300000 |
Cache entry time-to-live in milliseconds. |
.clear-on-startup |
boolean |
false |
Clear all cache entries on application startup. |
.local.ttl-minutes |
int |
10 |
Local cache TTL in minutes. |
hcad.baseline | |||
.min-confidence |
double |
0.3 |
Minimum confidence for baseline data. |
.update-alpha |
double |
0.1 |
Exponential moving average alpha for baseline updates. |
.learning.enabled |
boolean |
true |
Enable baseline learning from live traffic. |
.learning.alpha |
double |
0.1 |
Online baseline adaptation learning rate. |
.bootstrap.enabled |
boolean |
true |
Enable bootstrap mode for initial baseline building. |
.bootstrap.initial-samples |
int |
10 |
Number of initial samples required before enforcement. |
.bootstrap.max-anomaly-score |
double |
0.85 |
Maximum anomaly score during bootstrap phase. |
.statistical.enabled |
boolean |
true |
Enable statistical baseline analysis. |
.statistical.min-samples |
int |
20 |
Minimum samples for statistical analysis. |
.statistical.z-score-threshold |
double |
3.0 |
Z-score threshold for outlier detection. |
.redis.ttl-days |
int |
30 |
Redis baseline data TTL in days. |
hcad.feedback | |||
.learning-rate |
double |
0.1 |
Feedback loop learning rate for threshold adjustment. |
.retrain-threshold |
double |
0.7 |
Accuracy threshold triggering model retrain. |
.window-size |
int |
1000 |
Sliding window size for feedback collection. |
hcad.orchestrator | |||
.enabled |
boolean |
true |
Enable the HCAD orchestrator for coordinated analysis. |
.feedback-interval |
int |
300 |
Feedback processing interval in seconds. |
.sync-batch-size |
int |
50 |
Batch size for baseline synchronization. |
hcad.vector | |||
.embedding-dimension |
int |
384 |
Embedding vector dimension for behavioral analysis. |
.similarity-threshold |
double |
0.85 |
Similarity threshold for behavioral pattern matching. |
.scenario-detection-enabled |
boolean |
true |
Enable scenario-based anomaly detection via vectors. |
hcad.session | |||
.cookie-name |
String |
JSESSIONID |
Session cookie name for HCAD tracking. |
.header-name |
String |
X-Session-Id |
Header name for session ID in stateless mode. |
hcad.signal | |||
.chi-square-threshold |
double |
14.07 |
Chi-square threshold for signal anomaly detection. |
.history-size |
int |
100 |
Number of historical signals to retain. |
.geoip.provider |
String |
api |
GeoIP provider: api or local. |
hcad.adaptive | |||
.adjustment-rate |
double |
0.1 |
Adaptive threshold adjustment rate. |
.cusum.threshold |
double |
5.0 |
CUSUM change-point detection threshold. |
.cusum.slack |
double |
0.5 |
CUSUM slack parameter for drift tolerance. |
.baseline.window |
int |
100 |
Adaptive baseline window size. |
hcad.geoip | |||
.enabled |
boolean |
false |
Enable GeoIP-based location analysis. |
.db-path |
String |
data/GeoLite2-City.mmdb |
Path to MaxMind GeoLite2 database file. |
hcad.redis | |||
.key-prefix |
String |
hcad:baseline:v2: |
Redis key prefix for HCAD baseline data. |
Additional HCAD Fields in Current OSS Code
| Property | Default | Description |
|---|---|---|
hcad.baseline.statistical.update-interval | 10 | Refresh interval for the statistical baseline. |
hcad.feedback.baseline.update-threshold | 0.95 | Threshold for writing feedback into the learned baseline. |
hcad.orchestrator.performance-tracking | true | Enable orchestrator performance tracking. |
hcad.vector.cache-ttl-hours | 24 | TTL for cached behavioral embeddings. |
hcad.vector.max-cached-embeddings | 1000 | Maximum cached embedding entries. |
hcad.signal.covariance.min-samples | 30 | Minimum samples for covariance analysis. |
hcad.signal.geoip.api-url | https://ipapi.co/{ip}/json/ | Remote GeoIP API template. |
hcad.signal.timing.bucket-count | 7 | Timing bucket count. |
hcad.signal.timing.interval.history-size | 100 | Timing interval history size. |
hcad.sampling.random.floor | 0.01 | Minimum random sampling rate. |
hcad.sampling.random.ceiling | 0.03 | Maximum random sampling rate. |
hcad.sampling.composite.identifier.enabled | true | Enable composite identifier sampling. |
hcad.similarity.hot-path-threshold | 0.7 | Similarity threshold used by hot-path decisions. |
hcad.adaptive.min.trust.score | 0.7 | Minimum trust score used by adaptive controls. |
hcad.pre-trigger.enabled | true | Enable pre-trigger heuristics before full analysis. |
hcad.pre-trigger.cooldown-seconds | 15 | Cooldown for repeated pre-triggers. |
hcad.pre-trigger.in-flight-ttl-seconds | 15 | TTL for in-flight pre-trigger markers. |
hcad.pre-trigger.negative-cache-seconds | 3 | Negative cache lifetime. |
hcad.pre-trigger.redline-score | 70 | Redline score threshold. |
hcad.pre-trigger.high-risk-score | 50 | High-risk score threshold. |
hcad.pre-trigger.medium-risk-score | 30 | Medium-risk score threshold. |
hcad.pre-trigger.low-baseline-confidence-threshold | 0.35 | Low baseline confidence threshold. |
hcad.pre-trigger.failed-login-burst-threshold | 3 | Failed-login burst threshold. |
hcad.pre-trigger.request-burst-threshold | 12 | Request burst threshold. |
hcad.pre-trigger.rapid-request-interval-ms | 1000 | Rapid-request interval window. |
Example Configuration
YAML
hcad:
enabled: true
filter-order: 100
resource:
sensitive-patterns:
- /admin/api/security-test/sensitive/**
- /admin/api/security-test/critical/**
threshold:
base: 0.7
sensitivity: 1.0
baseline:
learning:
enabled: true
alpha: 0.1
bootstrap:
enabled: true
initial-samples: 10
geoip:
enabled: false
db-path: data/GeoLite2-City.mmdbSecurity Plane Properties
Properties under security.plane, bound to SecurityPlaneProperties. The class configures the distributed security-plane agent, Kafka topics, Redis relay settings, monitoring batches, deduplication windows, and the LLM executor pool used by asynchronous security analysis.
| Property | Type | Default | Description |
|---|---|---|---|
security.plane.agent | |||
.name | String | SecurityPlaneAgent-1 | Agent instance name |
.auto-start | boolean | true | Auto-starts the agent on boot |
.organization-id | String | default-org | Organization identifier for distributed deployments |
.execution-mode | String | ASYNC | Agent execution mode |
.auto-approve-low-risk | boolean | false | Automatically approves low-risk decisions when enabled |
.event-timeout-ms | long | 30000 | Per-event processing timeout |
.max-deferred-retries | int | 3 | Deferred retry limit for agent processing |
security.plane.kafka | |||
.bootstrap-servers | String | localhost:9092 | Kafka bootstrap servers |
.group-id | String | security-plane-consumer | Kafka consumer group id |
.topics.security-events | String | security-events | Security event topic |
.topics.threat-indicators | String | threat-indicators | Threat indicator topic |
.topics.network-events | String | network-events | Network event topic |
.topics.auth-events | String | auth-events | Authentication event topic |
security.plane.monitor | |||
.queue-size | int | 10000 | Event queue capacity |
.batch-size | int | 8 | Monitoring batch size |
.flush-interval-ms | long | 500 | Batch flush interval |
.correlation-window-minutes | int | 10 | Correlation window size |
.dedup-window-minutes | int | 5 | Deduplication time window |
security.plane.notifier | |||
.batch-size | int | 10 | Notification batch size |
.async-enabled | boolean | true | Enable async notification dispatch |
.critical-threshold | double | 0.8 | Critical alert threshold |
security.plane.redis | |||
.batch-size | int | 50 | Redis publish batch size |
.cache.ttl-minutes | int | 60 | Redis relay cache TTL |
.channel.security-events | String | security:events | Redis security event channel |
.channel.threat-alerts | String | security:threats | Redis threat alert channel |
security.plane.llm-executor | |||
.core-pool-size | int | 2 | Core thread pool size for LLM analysis |
.max-pool-size | int | 2 | Maximum thread pool size for LLM analysis |
.queue-capacity | int | 50 | Queue capacity for pending LLM work |
security.plane.deduplication | |||
.enabled | boolean | true | Deduplication toggle |
.window-minutes | int | 5 | Deduplication window size |
.cache-size | int | 10000 | Deduplication cache size |
YAML
security:
plane:
agent:
name: SecurityPlaneAgent-1
auto-start: true
organization-id: default-org
execution-mode: ASYNC
auto-approve-low-risk: false
event-timeout-ms: 30000
max-deferred-retries: 3
llm-executor:
core-pool-size: 2
max-pool-size: 2
queue-capacity: 50
deduplication:
enabled: true
window-minutes: 5
cache-size: 10000Related: Zero Trust Flow, SOAR Reference
Session Security Properties
Properties under security.session, bound to SecuritySessionProperties. The OSS class configures token creation, header and bearer token extraction, hijack notification wiring, cookie naming, and risk thresholds used by session anomaly evaluation.
| Property | Type | Default | Description |
|---|---|---|---|
security.session.create.allowed | boolean | true | Allows session/token creation |
security.session.header.name | String | X-Auth-Token | Header name for token transport |
security.session.bearer.enabled | boolean | true | Enables bearer token parsing |
security.session.cookie.name | String | SESSION | Cookie name used for session transport |
security.session.hijack.channel | String | security:session:hijack:event | Hijack event channel name |
security.session.hijack.detection.enabled | boolean | true | Hijack detection toggle |
security.session.threat.ip-change-risk | double | 0.4 | Risk contribution for IP changes |
security.session.threat.ua-change-risk | double | 0.3 | Risk contribution for user-agent changes |
security.session.threat.rapid-access-threshold-ms | int | 100 | Rapid-access threshold window |
security.session.threat.rapid-access-risk | double | 0.2 | Risk contribution for rapid access bursts |
security.session.threat.thresholds.monitoring | double | 0.5 | Monitoring threshold |
security.session.threat.thresholds.grace-period | double | 0.7 | Grace-period threshold |
security.session.threat.thresholds.invalidation | double | 0.9 | Invalidation threshold |
Related: State Management Reference