Java configuration options
Each Enforcer has a set of configuration options that control the Enforcer’s functionality and features. While some are required, many of these are optional configurations that you can use to customize the Enforcer’s behavior. You can reference available configurations with this article. The HUMAN Java Enforcer is configured with a PXConfiguration instance passed to the PerimeterX constructor (and related builder APIs).
While all Enforcers come with the same set of required configurations, the optional configurations available for each may differ. We recommend updating to the latest Enforcer version to ensure you have access to the latest features and configurations.
Quick reference
Basic functionality
Basic features
Optional
Interfaces
Required configurations
These configurations are necessary for the Enforcer’s basic functionality and features.
Basic functionality configurations
appId
Your HUMAN Application ID in the form of PX12AB34CD. You can copy this value from the HUMAN Console in Platform Settings > Applications Overview. If you have multiple applications, make sure to copy the ID of the application you want the Enforcer on.
authToken
The application’s server token needed to authorize with HUMAN’s backend. You can copy this value from the HUMAN Console in Platform Settings > Applications Overview > Click the appropriate application > Server token tab.
cookieKey
The secret used to encrypt and decrypt the risk cookie sent from the HUMAN Sensor. You can copy this value from the HUMAN Console in Sightline Cyberfraud Defense > Traffic Policy Overview > Click the appropriate application > Click the key > Copy value.
If you need to rotate secrets, then adjust this configuration to be an array of strings (string[]) and include the new secret and old secret. The new secret value should be the first value in the array. This prevents decryption failures.
apiTimeout
The total time in milliseconds that the Enforcer will wait for the Risk API request to return before timing out and passing the request.
blockingScore
The minimum risk score that the Enforcer will block. Ranges from 0 (lowest risk) to 100 (highest risk).
Basic feature configurations
setLoggerSeverity
The severity at which the logger will output logs.
LoggerSeverity.NONE: The logger will not generate any logs.LoggerSeverity.ERROR: The logger will only generate logs on fatal errors.LoggerSeverity.DEBUG: The logger will generate detailed logs for debugging purposes. Not recommended for production environments.
See px_logger_auth_token for a header-based alternative.
The Java Enforcer uses SLF4J and Logback for logging.
ipHeaders
An array of header names that are trusted to contain the true client IP. Headers are traversed in the order they’re listed, and the first header value will always be used as the client IP.
If not set, will be taken from default.
Use with the CombinedIPProvider interface.
moduleEnabled
Whether the Enforcer module is enabled.
true: Enable the modulefalse: Disable the module
moduleMode
The Enforcer’s operation mode.
ModuleMode.MONITOR: The Enforcer performs all functions without returning block responses. Useful for analyzing and adjusting Enforcer behavior without serving block pages to end users. If you have routes that must have enforcement at all times, see Enforced routes.ModuleMode.BLOCKING: The Enforcer will return block responses as needed.
Optional configurations
These configurations aren’t required, but you can use them to further customize the Enforcer’s behavior.
Advanced blocking response (ABR)
advancedBlockingResponse
In specific cases such as XHR post requests, a full CAPTCHA page render might not be an option. In such cases, the Advanced Blocking Response (ABR) returns a JSON object containing all the information needed to render a customized CAPTCHA challenge implementation such as a popup modal, a section on the page, etc. This provides more flexibility and customizability in displaying the CAPTCHA challenge.
Bypass monitor header
bypassMonitorHeader
Activates the full blocking flow to verify the flow works as expected if a particular header is present on the request. Often used during monitor mode, where the Enforcer collects data without blocking user requests, before switching to ModuleMode.BLOCKING.
Credentials Intelligence
These configurations are specific to Credentials Intelligence-related features in Sightline Cyberfraud Defense.
loginCredentialsExtractionEnabled
Whether to enable the extraction and reporting of credentials from the Enforcer for Credential Intelligence.
true: Enable Credential Intelligencefalse: Disable Credential Intelligence
loginCredentialsExtractionDetails
An array of configuration objects for each credential endpoint. Each element in the array is an object representing a distinct endpoint to which credentials are sent and includes:
- How to identify these credential-bearing requests
- How to extract the credentials from the request
- How to determine if the request operation (login, signup, etc.) was successful based on the returned HTTP response
ciProtocol
Determines the structure and content of the user login data.
pxCompromisedCredentialsHeader
The header name to be set on the incoming request if the credentials are compromised. If this header is added, its value will always be 1. If credentials have not been identified as compromised, the header will not be added to the request.
additionalS2SActivityHeaderEnabled
Whether to attach the additional_s2s payload and URL as headers to the original request. This is done so that the additional_s2s activity can be enriched with the proper login_successful value and sent to the provided URL at a later stage. This disables automatically sending additional_s2s activities.
When set to true, the following headers are added to the origin request:
px-additional-activity: A JSON object containing the payload of theadditional_s2sactivity. Thelogin_successfulandhttp_status_codefields should be set prior to sending the activity.
px-additional-activity header example
px-additional-activity header example
px-additional-activity-url: The URL to which theadditional_s2spayload should be sent as an HTTP POST request.
addRawUsernameOnAdditionalS2SActivity
Whether to report the raw username on the additional_s2s activity.
false: The raw username will never be reported.true: The raw username will only be reported if:- The credentials are compromised, and
- The login request was successful.
loginResponseValidationReportingMethod
Method name that determines how to validate if the login was successful. There are several ways to report the success or failure of the login attempt. If left empty, the login success status is always reported as false.
STATUS
Provide a status or array of statuses that represent a successful login. If a response’s status code matches the provided value or one of the values in the provided array, the login success status is set to true. Otherwise, it is set to false.
To define a range of statuses, use the CUSTOM reporting method.
Default values:
px_login_successful_status:200
HEADER
Provide a header name and value. If the header exists on the response and matches the provided value, the login success status is set to true. If the header is not found on the response, or if the header value does not match the value in the configuration, the login success status is set to false.
Default values:
headerNameToValidateLoginResponse:x-px-login-successfulheaderValueToValidateLoginResponse:1
BODY
Provide a string or regular expression with which to parse the response body. If a match is found, the login success status is set to true. If no match is found, the login success status is set to false.
Default values:
regexPatternToValidateLoginResponseBody: Empty
CUSTOM
Provide a custom class that implements the LoginResponseValidator interface and overrides isSuccessfulLogin, which receives a ResponseWrapper and returns a boolean.
Default values:
customLoginResponseValidator: empty
loginResponseValidationRegexBody
Regex pattern that checks the response body in order to validate successful login.
headerNameToValidateLoginResponse
Header name used to validate whether the login is successful.
headerValueToValidateLoginResponse
Header value used to validate whether the login is successful.
loginResponseValidationStatusCode
Array of status codes used to validate whether the login was successful.
Custom cookie header
customCookieHeader
By default, the Enforcer extracts HUMAN cookies from the Cookie header. However, if these cookies are transferred on a different header, then that header’s name must be provided with this configuration.
Custom parameters
customParametersExtraction
Enriches activities sent from the Enforcer to HUMAN with additional custom parameters. This data can include user information, session IDs, or other data that HUMAN should have access to. These custom parameters are defined by a configurable function that must return an object that contains these custom parameters. There is a limit of 10 custom parameters.
The request body can only be read once! If you plan on reading the request body in this function, we recommend you using a request wrapper that caches the body before calling pxVerify
Parameters:
config: HumanSecurityConfigurationrequest:HttpServletRequest
Returns: Promise<CustomParameters>
Custom proxy
useProxy
Whether to use the proxyHost for message forwarding.
proxyHost
If your architecture requires the use of a proxy server to access outside services, you can designate a proxy URL or IP port to use. This will use HTTP tunneling and direct all outgoing HUMAN traffic to the defined proxy address.
If using HTTPS, ensure that the proxy’s certificate is installed on the machine running the Enforcer.
Required if useProxy is true.
proxyPort
The proxy’s port. Required if useProxy is true.
Encryption and buffering
encryptionEnabled
Whether to decode or decrypt a cookie.
maxBufferLen
Sets the number of activities to send in batched activities.
Filters
staticFilesExt
Filters out requests with the specified file extension. By default, HUMAN doesn’t enforce static assets such as images and documents to minimize unncessary API calls and computation, but you can configure this list at any time.
Filtering by extension only applies to GET and HEAD HTTP methods.
Header data enrichment
These configurations let you add headers to incoming requests with additional data.
pxDataEnrichmentHeaderName
Adds a header to the incoming request with the configured header name and the JSON-stringified data enrichment object as the value. If empty or if data enrichment has not been enabled for your policy, no header will be set. To view available data and enable this feature, see Data classification enrichment.
HUMAN Challenge & hard block customization
These configurations let you customize the HUMAN Challenge block page as well as the hard block page, which appears when a request is blocked without a Challenge. Hard block pages inherit the same styling as the HUMAN Challenge according to the following configurations and cannot be customized separately.
cssRef
A way to include a custom CSS file to the block page.
Maps to {{cssRef}} in the block page template.
jsRef
A way to include custom JavaScript to the block page. This script will run after the default JavaScript scripts.
Maps to {{jsRef}} in the block page template.
customLogo
Adds a custom logo to the HUMAN Challenge block page via URL.
Maps to {{customLogo}} in the block page template.
Monitored and enforced routes
These configurations let you define specific routes that should be enforced by HUMAN when the Enforcer is in monitor mode. These routes will always be subject to the full Enforcer workflow, including blocking requests if necessary.
enforcedRoutes
An array of routes or prefixes that should be enforced by HUMAN even when the Enforcer is in monitor mode.
monitoredRoutes
A list of endpoints to be monitored rather than blocked by the Enforcer, even when the Enforcer is in ModuleMode.BLOCKING mode.
Network configuration
connectionTimeout
TCP connection timeout to HUMAN servers, in milliseconds.
maxConnectionsPerRoute
The maximum connections per route for Risk API requests in the connections pool.
maxConnections
The total maximum connections for Risk API client.
sendPageActivities
Toggle sending asynchronous page activities.
serverURL
Set the base url for HUMAN servers
PXHD cookie
securedPxhdEnabled
The PX Hashed Data (PXHD) cookie links the first risk request with the browser activities as detected by the Sensor for better user tracking. It can also add more information that’s shared between the HUMAN Collector, Enforcer, and Sensor. This configuration determines whether the Secure cookie attribute is added when setting the PXHD cookie.
See Use of cookies & web storage for more information.
Remote configuration
Remote Configuration lets you update your Enforcer’s configuration from the HUMAN portal rather than interacting with the Enforcer package directly.
loggerAuthToken
An alternative to the basic logger configuration. This sends Enforcer logs to HUMAN’s logging service if a specific header is present on the request. This is particularly useful for expedited debugging, diagnosis, and resolution of any integration or Enforcer-related issues.
Contact HUMAN to recieve your token.
remoteConfigurationInterval
The interval time in milliseconds to wait between attempts to fetch the Remote Configuration.
remoteConfigurationDelay
The amount of time to delay the remote configuration thread before it starts
remoteConfigurationUrl
Set the URL for HUMAN configuration service
Requests queue interval
validateRequestQueueInterval
Interval in seconds of cleaning requests queue. Solves HttpComponent reference leak bug.
Sensitive headers and routes
sensitiveHeaders
Specifies certain headers that should not be forwarded to any other destination, including the HUMAN Detector. While HUMAN’s detection system will continue to use these headers to determine whether to block or not, the specified headers won’t be forwarded from the Enforcer, won’t appear in Enforcer activities, and won’t be sent to any other IP if the Enforcer acts as a proxy.
sensitiveRoutes
A list of prefixes for all routes that should be considered sensitive.
sensitiveRoutesRegex
Regex strings for routes that should be considered sensitive.
customIsSensitiveRequest
This configuration is meant for cases that require more complex logic. We recommended you use sensitiveRoutes for most cases.
A custom function that lets you define which requests should be considered sensitive based on custom logic. It accepts the incoming request as an argument and returns a boolean indicating whether the request should be considered sensitive.
Parameters:
request:function
Returns: A boolean or a Promise resolving to a boolean.
Testing mode
testingMode
Runs the Enforcer in a development environment for testing purposes. The response returns as a JSON object. When you run the Enforcer in testing mode, do not set a custom verification handler
Users identifiers
These configurations are related to Accounts and Account Takeover or Fake Account features in Sightline Cyberfraud Defense.
pxJwtCookieName
The name of the cookie that contains the JWT token that HUMAN should extract user identifiers from.
pxJwtCookieUserIdFieldName
The field name in the JWT object, extracted from the JWT cookie, that contains the user ID to be extracted and reported.
pxJwtCookieAdditionalFieldNames
The field names in the JWT object, extracted from the JWT cookie, that should be extracted and reported in addition to the user ID.
pxJwtHeaderName
The name of the header that contains the JWT token that HUMAN should extract user identifiers from.
pxJwtHeaderUserIdFieldName
The field name in the JWT object, extracted from the JWT header, that contains the user ID to be extracted and reported.
pxJwtHeaderAdditionalFieldNames
The field names in the JWT object, extracted from the JWT header, that should be extracted and reported in addition to the user ID.
Interfaces
You can use the following interfaces to tune the Java Enforcer to your specific needs. Interfaces should be set after you initialize the PerimeterX instance.
activityHandler
Handler for all asynchronous activities from type enforcer_telemetry, page_requested, and block.
- Method:
setActivityHandler
blockHandler
Blocking handle will be called when pxVerify will return that user is not verified.
- Method:
blockHandler
ipProvider
Handles IP address extraction from request.
- Method:
setIpProvider
hostnameProvider
Handles hostname extraction from request.
- Method:
setHostnameProvider
verificationHandler
Handling verification after HUMAN service finished analyzing the request.
- Method:
setVerificationHandler
customParametersProvider
Adds to all activities additional custom parameters.
- Method:
customParametersProvider
loginResponseValidator
Validate if the Login response was successful.
- Method:
isSuccessfulLogin
credentialsExtractor
Extract credentials from login request.
- Method:
extractCredentials
