Skip to main content

Order of precedence

Active configuration values are determined using the following order of precedence:

order_of_precedence.png
  1. An expired license or exceeding a license quota disables all agent behavior regardless of configuration.

  2. Command line or system property value (if appropriate for the language you are using).

    For example: -Dcontrast.enable

  3. Environment variables

    For example: CONTRAST__ENABLE

  4. An application-specific configuration file (.NET Framework only).

    For example: web.config

  5. Configuration values in a YAML file are pulled from all files, taking the value from the highest precedence file.

    For instance, if contrast_security.yaml in the current working directory has the application-specific value for application.tags and the file in /etc/contrast/contrast_security.yaml has the organization-level connection details, the agent would have access to both. If /etc/contrast/contrast_security.yaml also had an application.tags default value, only the value in the current working directory’s configuration, as a higher precedence, would be read; the two values of application.tags are not combined.

    1. A YAML file indicated by the user

      For example:

      • Java: the  contrast.config.pathsystem property

      • Any agent: the CONTRAST_CONFIG_PATH environment variable.

    2. A contrast_security.yaml file in the current working directory (all agents except Java)

      For example: ./contrast_security.yaml

    3. A contrast_security.yaml file in the application’s configuration directory (Ruby and Python only)

      For example:

      • Ruby on Rails: ./config/contrast_security.yaml

      • Django: ./settings/contrast_security.yaml

    4. A contrast_security.yaml file in an agent-specific configuration directory. For agents that use a service, use this directory if you need to use separate YAML files for agent and service.

      For example:

      • /etc/contrast/agentname/contrast_security.yaml (where agentname is one of: dotnet, go, java, node, python, ruby, or webserver)

      • %ProgramData%\contrast\agentname\contrast_security.yaml (where agentname is one of: dotnet, dotnet-core, java, node, python, ruby, or webserver)

    5. A contrast_security.yaml file within the server's /etc/contrast directory (all agents except .NET Framework, and .NET Core). For agents that use a service, use this directory if you need to share YAML files between agent and service.

      For example:

      • /etc/contrast/contrast_security.yaml

      • %ProgramData%\contrast\contrast_security.yaml

  6. Values set in the Contrast web interface.

    For example: Server mode toggles for Assess and Protect, which map to assess.enable and protect.enable

  7. The default value set by Contrast Security.

See also

Additional configuration