DocumentationVessel DIAI SDKExtensionsCLIChangelogRoadmapBlog
Security

Configuration

Config reference, YAML examples, and options for Security

YAML Configuration Example

config.yaml
extensions:
  security:
    session:
      enabled: true
      store: "inmemory"
      cookieName: "forge_session"
      ttl: "24h"
      idleTimeout: "30m"
      autoApplyMiddleware: false
      skipPaths: ["/health", "/metrics"]

    cookie:
      enabled: true
      secure: true
      httpOnly: true
      sameSite: "lax"
      path: "/"

    csrf:
      enabled: true
      tokenLength: 32
      tokenLookup: "header:X-CSRF-Token"
      ttl: "12h"
      safeMethods: ["GET", "HEAD", "OPTIONS", "TRACE"]

    rateLimit:
      enabled: true
      requestsPerWindow: 100
      window: "1m"
      store: "memory"
      skipPaths: ["/health", "/metrics"]

    jwt:
      enabled: true
      signingMethod: "HS256"
      secret: "${JWT_SECRET}"
      tokenLookup: "header:Authorization"
      tokenPrefix: "Bearer"
      ttl: "1h"
      refreshTTL: "168h"             # 7 days

    cors:
      enabled: true
      allowOrigins: ["*"]
      allowMethods: ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"]
      allowHeaders: ["Content-Type", "Authorization", "X-CSRF-Token"]
      exposeHeaders: []
      maxAge: 3600
      allowCredentials: false

    apiKey:
      enabled: true
      keyLookup: "header:X-API-Key"

    passwordHasher:
      algorithm: "argon2id"          # "argon2id" or "bcrypt"
      bcryptCost: 12

    audit:
      enabled: true
      level: "auth"                  # "none", "auth", "all"
      excludePaths: ["/health", "/metrics"]

    securityHeaders:
      enabled: true

The extension loads config from extensions.security first, falling back to security.

Programmatic Configuration

ext := security.NewExtension(
    security.WithSession(true, "inmemory", 24*time.Hour),
    security.WithCSRF(true),
    security.WithJWT(true, "HS256", "my-secret"),
    security.WithRateLimit(true, 200, time.Minute),
    security.WithCORS(true, "*"),
    security.WithAPIKey(true, "header:X-API-Key"),
)

Key Config Sections

Session

FieldDefaultDescription
EnabledtrueEnable sessions
Store"inmemory"Session store backend
CookieName"forge_session"Session cookie name
TTL24hSession TTL
IdleTimeout30mIdle session timeout
AutoApplyMiddlewarefalseAuto-apply to all routes

JWT

FieldDefaultDescription
EnabledtrueEnable JWT
SigningMethod"HS256"Signing algorithm
Secret""Signing secret (required for HMAC)
TTL1hToken TTL
RefreshTTL7dRefresh token TTL

Rate Limit

FieldDefaultDescription
EnabledtrueEnable rate limiting
RequestsPerWindow100Max requests per window
Window1mTime window

CORS

FieldDefaultDescription
EnabledtrueEnable CORS
AllowOrigins["*"]Allowed origins
MaxAge3600Preflight cache (seconds)

How is this guide?

Features

Security extension capabilities

Functions

Public API reference for the Security extension

On this page

YAML Configuration Example
Programmatic Configuration
Key Config Sections
Session
JWT
Rate Limit
CORS