| appId | HUMAN custom application ID in the format of HUMAN**__** | null | String | mandatory |
| cookieKey | Key used for cookie signing - Can be found or generated in HUMAN portal - Policy page. | null | String | mandatory |
| authToken | JWT token used for REST API - Can be found or generated in HUMAN portal - Application page. | null | String | mandatory |
| moduleMode | Set the mode for HUMAN module, Blocking or Monitor, setting to blocking mode meaning the module will be active blocking, monitor mode will only inspect the request but will not block it | Monitor | ModuleMode.BLOCKING / ModuleMode.MONITOR | enum, mandatory for active blocking |
| moduleEnabled | Flag for enabling or disabling HUMAN protection. | true | Boolean | |
| encryptionEnabled | Flag indicating the module to decode or decrypt a cookie. | true | Boolean | |
| blockingScore | When requests with a score equal to or higher value they will be blocked. | 100 | int | |
| sensitiveHeaders | Marks which headers will not be send to HUMAN backends | [cookie, cookies] | Set | |
| maxBufferLen | Set the number of activities to send in batched activities | 10 | int | |
| apiTimeout | Response timeout after sending the request | 1000 | int | Milliseconds |
| connectionTimeout | TCP connection with the HUMAN server timeout | 1000 | int | Milliseconds |
| maxConnectionsPerRoute | Set the maximum connection per route for risk api requests in the connections pool | 50 | int | |
| maxConnections | Set the total maximum connections for risk api client | 200 | int | |
| sendPageActivities | Toggle sending asynchronous page activities | true | Boolean | |
| serverURL | Set the base url for HUMAN servers | https://sapi-<app_id>.perimeterx.net | String | |
| customLogo | The logo will be displayed at the top div of the the block page. The logo’s host name | String | | |
| cssRef | The block page can be modified with a custom CSS by adding the CSSRef directive and providing a valid URL to the css | null | String | |
| jsRef | The block page can be added with custom JS file by adding JSRef directive and providing the JS file that will be loaded with the block page. | null | String | |
| sensitiveRoutes | List of routes the HUMAN module will always do a server-to-server call for, even if the cookie score is low and valid | Empty list | Set | |
| remoteConfigurationEnabled | Toggle remote configurations, when true, initial configurations will be set through constructor, then can be tuned from the portal | false | Boolean | |
| remoteConfigurationInterval | Set the interval value for when to fetch configurations from HUMAN’s configuration service | 5000 | int | Milliseconds |
| remoteConfigurationDelay | Set amount of time to delay the remote configuration thread before it starts | 0 | int | Milliseconds |
| remoteConfigurationUrl | Set the UTL for HUMAN configuration service | | String | |
| ipHeaders | List of headers to extract the user IP from, if not set, it will be taken from default | Empty List | Set | Use with CombinedIPProvider |
| firstPartyEnabled | Toggle first party requests enabled | true | Boolean | Read more details about first party integration here |
| xhrFirstPartyEnabled | Toggle first party XHR requests will be forwarded to PerimeterX servers | true | Boolean | |
| useProxy | The http client shall use a proxy for message forwarding | false | Boolean | |
| proxyHost | The proxy’s host name | String | | |
| proxyPort | The proxy’s port | None - required | int | |
| testingMode | Running the Enforcer in dev environment for testing purposes, response returned as a JSON object. When you run the Enforcer in testing mode, please do not set custom verification handler | false | Boolean | |
| validateRequestQueueInterval | Interval in seconds of cleaning requests queue. Solves HttpComponent reference leak bug. | 5 | int | |
| loginCredentialsExtractionEnabled | Flag that enables/disables the extraction of login credentials. | false | boolean | |
| loginCredentialsExtractionDetails | Maps the json login credentials configuration array to a dedicate class. The map helps in determine if an incoming request is a login request or not. | null | CILoginMap | |
| ciProtocol | Credentials Intelligence protocol determines the structure and content of the user login data. | V2 | CIProtocol | |
| pxCompromisedCredentialsHeader | The name of the header that is sent to the client to mark that the account is breached. | ”px-compromised-credentials” | String | |
| addRawUsernameOnAdditionalS2SActivity | Flag that determines if raw username will be sent in the additional S2S activity. | false | boolean | |
| additionalS2SActivityHeaderEnabled | Flag that determines if additional S2S activity will be sent from the client’s origin to HUMAN. | boolean | false | |
| loginResponseValidationReportingMethod | Method name that determines how to validate if the login was successful. | null | LoginResponseValidationReportingMethod | |
| loginResponseValidationRegexBody | Regex pattern that checks the response body in order to validate successful login. | null | String | |
| headerNameToValidateLoginResponse | Header name that is used to validate if the login is successful. | x-px-login-successful | String | |
| headerValueToValidateLoginResponse | Header value that is used to validate if the login is successful. | ”1” | String | |
| loginResponseValidationStatusCode | Array of status codes that is used to validate if the login was successful. | 200 | int[] | |
| customLoginResponseValidator | Custom class that validates if the login was successful. LoginResponseValidator must be implemented to be able to use this class. | DefaultCustomLoginResponseValidator | LoginResponseValidator | |
| credentialsCustomExtractor | Custom class that extracts the login credentials. CredentialsExtractor must be implemented to be able to use this class. | DefaultCredentialsCustomExtractor | CredentialsExtractor | |
| pxDataEnrichmentHeaderName | Header name for forwarding data enrichment payload to origin server. When set, the SDK will add the PXDE payload as a header that can be forwarded to backend services. | "" (empty string) | String | Used with data enrichment feature |
| securedPxhdEnabled | Enable secure flag on pxhd cookie for enhanced security in HTTPS-only environments. | false | Boolean | |
| pxJwtCookieName | Name of the cookie containing JWT token for user identifier extraction. | null | String | Part of Account Defender JWT user identifiers feature |
| pxJwtCookieUserIdFieldName | Field name in JWT payload to extract as user ID from cookie. | null | String | Supports dot notation for nested fields (e.g., “user.id”) |
| pxJwtCookieAdditionalFieldNames | List of additional field names to extract from JWT cookie payload. | Empty List | String[] | Supports dot notation for nested fields |
| pxJwtHeaderName | Name of the header containing JWT token for user identifier extraction. | null | String | Part of Account Defender JWT user identifiers feature |
| pxJwtHeaderUserIdFieldName | Field name in JWT payload to extract as user ID from header. | null | String | Supports dot notation for nested fields (e.g., “sub”) |
| pxJwtHeaderAdditionalFieldNames | List of additional field names to extract from JWT header payload. | Empty List | String[] | Supports dot notation for nested fields |
