| FIELD | DESCRIPTION | TYPE | DEFAULT VALUE(S) | ALLOWED VALUE(S) |
|---|---|---|---|---|
| enabled | describes whether this part of the policy should be enforced or not | Boolean | true | true, false |
| compensatingControl | describes whether there’s another mechanism in place [elsewhere] to handle access controls | Boolean | false | true,false |
| syntaxValidation | checks type (Date, String, etc), length (some number > 0) and format (isEmail, regular expression) | |||
| checkLength | value must match length exactly | Boolean | true | true, false |
| checkFormat | value must match specified format | Boolean | true | true,false |
| checkType | value must match specified type | Boolean | true | true, false |
| semanticValidation | checks whether values make sense in given context | |||
| allowBlankValues | value can/cannot be blank | Boolean | false | true,false |
| orderMakesSense? | checks whether the order of two given values are correct | Boolean | true | true,false |
| valueInRange? | checks to make sure the value is within expected (given) range | Boolean | true | true,false |
| whitelistRequired | which user-provided values require a whitelist | String Array | [“cors”,“csp”,“referer”,“origin”,“host”] | Any string for which user-provided data can only match a subset of values* |
| sanitizeValues | attempt to force user input to match acceptable values | |||
| enableEncoding | change potentially unsafe characters to their expected format | String Array | [“url”,“body”,“javascript”,“html”,“css”] | [“url”,“body”,“javascript”,“html”,“css”] |
| convertToType | attempt to change type mismatches to their expected format | Boolean | true | true,false |
| blockOnFail | if validation fails, block the data | Boolean | true | true, false |
* _spartan includes a pre-populated file called “.whitelists” in the security folder which lists the values from this element as String Arrays. You can add, modify or delete new elements to the individual whitelists there. Check the boilerplate/about section for more information