pub struct InsecureOptions {
pub allow_open_security_filters: bool,
pub allow_private_endpoints: bool,
pub allow_private_health_checks: bool,
pub allow_public_admin: bool,
pub allow_root: bool,
pub allow_tls_without_sni: bool,
pub allow_unbounded_body: bool,
pub csrf_log_only: bool,
pub skip_pipeline_validation: bool,
}Expand description
Consolidated security overrides for Praxis.
Every field defaults to false. Setting a flag to true
demotes the corresponding security check from an error to a warning.
Only intended for use in development and testing.
use praxis_core::config::InsecureOptions;
let opts = InsecureOptions::default();
assert!(!opts.allow_open_security_filters);
assert!(!opts.allow_private_endpoints);
assert!(!opts.allow_private_health_checks);
assert!(!opts.allow_public_admin);
assert!(!opts.allow_root);
assert!(!opts.allow_tls_without_sni);
assert!(!opts.allow_unbounded_body);
assert!(!opts.csrf_log_only);
assert!(!opts.skip_pipeline_validation);use praxis_core::config::InsecureOptions;
let opts: InsecureOptions =
serde_yaml::from_str("allow_root: true\nallow_public_admin: true\n").unwrap();
assert!(opts.allow_root);
assert!(opts.allow_public_admin);
assert!(!opts.allow_unbounded_body);Fields§
§allow_open_security_filters: boolAllow security-critical filters to use failure_mode: open,
demoting the validation error to a warning.
allow_private_endpoints: boolAllow cluster endpoints to resolve to loopback, link-local, or cloud metadata addresses.
allow_private_health_checks: boolAllow health checks to loopback/metadata addresses.
allow_public_admin: boolAllow admin endpoint on 0.0.0.0 / [::].
allow_root: boolAllow running as root (UID 0).
allow_tls_without_sni: boolAllow TLS without SNI hostname verification.
allow_unbounded_body: boolAllow startup without body_limits.max_request_bytes or
body_limits.max_response_bytes configured. Without this
flag, missing body limits are a hard validation error.
csrf_log_only: boolRun the CSRF filter in log-only mode: evaluate all rules but log violations as warnings instead of rejecting requests.
skip_pipeline_validation: boolSkip pipeline ordering validation. This blanket-disables all
structural safety checks including conditional security filters
and failure_mode: open detection.
Trait Implementations§
Source§impl Clone for InsecureOptions
impl Clone for InsecureOptions
Source§fn clone(&self) -> InsecureOptions
fn clone(&self) -> InsecureOptions
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more