otto 2.0.0.pre1 → 2.0.0.pre2

data/lib/otto/core/middleware_stack.rb

@@ -36,6 +36,86 @@ class Otto
         # Invalidate memoized middleware list
         @memoized_middleware_list = nil
       end
+
+      # Add middleware with position hint for optimal ordering
+      #
+      # @param middleware_class [Class] Middleware class
+      # @param args [Array] Middleware arguments
+      # @param position [Symbol, nil] Position hint (:first, :last, or nil for append)
+      # @option options [Symbol] :position Position hint (:first or :last)
+      def add_with_position(middleware_class, *args, position: nil, **options)
+        raise FrozenError, 'Cannot modify frozen middleware stack' if frozen?
+
+        # Check for identical configuration
+        existing_entry = @stack.find do |entry|
+          entry[:middleware] == middleware_class &&
+            entry[:args] == args &&
+            entry[:options] == options
+        end
+
+        return if existing_entry
+
+        entry = { middleware: middleware_class, args: args, options: options }
+
+        case position
+        when :first
+          @stack.unshift(entry)
+        when :last
+          @stack << entry
+        else
+          @stack << entry  # Default append
+        end
+
+        @middleware_set.add(middleware_class)
+        @memoized_middleware_list = nil
+      end
+
+      # Validate MCP middleware ordering
+      #
+      # MCP middleware must be in security-optimal order:
+      # 1. RateLimitMiddleware (reject excessive requests early)
+      # 2. Auth middleware (validate credentials before parsing)
+      # 3. SchemaValidationMiddleware (expensive JSON schema validation last)
+      #
+      # @return [Array<String>] Warning messages if order is suboptimal
+      def validate_mcp_middleware_order
+        warnings = []
+
+        # PERFORMANCE NOTE: This implementation intentionally uses select + find_index
+        # rather than a single-pass approach. The filtered mcp_middlewares array is
+        # typically 0-3 items, making the performance difference unmeasurable.
+        # The current approach prioritizes readability over micro-optimization.
+        # Single-pass alternatives were considered but rejected as premature optimization.
+        mcp_middlewares = @stack.select do |entry|
+          [
+            Otto::MCP::RateLimitMiddleware,
+            Otto::MCP::Auth::TokenMiddleware,
+            Otto::MCP::SchemaValidationMiddleware,
+          ].include?(entry[:middleware])
+        end
+
+        return warnings if mcp_middlewares.size < 2
+
+        # Find positions
+        rate_limit_pos = mcp_middlewares.find_index { |e| e[:middleware] == Otto::MCP::RateLimitMiddleware }
+        auth_pos = mcp_middlewares.find_index { |e| e[:middleware] == Otto::MCP::Auth::TokenMiddleware }
+        validation_pos = mcp_middlewares.find_index { |e| e[:middleware] == Otto::MCP::SchemaValidationMiddleware }
+
+        # Check optimal order: rate_limit < auth < validation
+        if rate_limit_pos && auth_pos && rate_limit_pos > auth_pos
+          warnings << '[MCP Middleware] RateLimitMiddleware should come before TokenMiddleware for optimal performance'
+        end
+
+        if auth_pos && validation_pos && auth_pos > validation_pos
+          warnings << '[MCP Middleware] TokenMiddleware should come before SchemaValidationMiddleware for optimal performance'
+        end
+
+        if rate_limit_pos && validation_pos && rate_limit_pos > validation_pos
+          warnings << '[MCP Middleware] RateLimitMiddleware should come before SchemaValidationMiddleware for optimal performance'
+        end
+
+        warnings
+      end
       alias use add
       alias << add
 

data/lib/otto/core/router.rb

@@ -12,7 +12,7 @@ class Otto
         path = File.expand_path(path)
         raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)
 
-        raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip }
+        raw = File.readlines(path).grep(/^\w/).collect(&:strip)
         raw.each do |entry|
           # Enhanced parsing: split only on first two whitespace boundaries
           # This preserves parameters in the definition part
@@ -25,13 +25,9 @@ class Otto
 
           # Check for MCP routes
           if Otto::MCP::RouteParser.is_mcp_route?(definition)
-            raise '[MCP] MCP server not enabled' unless @mcp_server
-
             handle_mcp_route(verb, path, definition)
             next
           elsif Otto::MCP::RouteParser.is_tool_route?(definition)
-            raise '[MCP] MCP server not enabled' unless @mcp_server
-
             handle_tool_route(verb, path, definition)
             next
           end
@@ -46,7 +42,8 @@ class Otto
           @routes_literal[route.verb]           ||= {}
           @routes_literal[route.verb][path_clean] = route
         rescue StandardError => e
-          Otto.logger.error "Bad route in #{path}: #{entry} (Error: #{e.message})"
+          Otto.logger.error "Error for route #{path}: #{e.message}"
+          Otto.logger.debug e.backtrace.join("\n") if Otto.debug
         end
         self
       end
@@ -164,6 +161,8 @@ class Otto
       end
 
       def handle_mcp_route(verb, path, definition)
+        raise '[MCP] MCP server not enabled' unless @mcp_server
+
         route_info = Otto::MCP::RouteParser.parse_mcp_route(verb, path, definition)
         @mcp_server.register_mcp_route(route_info)
         Otto.logger.debug "[MCP] Registered resource route: #{definition}" if Otto.debug
@@ -172,6 +171,8 @@ class Otto
       end
 
       def handle_tool_route(verb, path, definition)
+        raise '[MCP] MCP server not enabled' unless @mcp_server
+
         route_info = Otto::MCP::RouteParser.parse_tool_route(verb, path, definition)
         @mcp_server.register_mcp_route(route_info)
         Otto.logger.debug "[MCP] Registered tool route: #{definition}" if Otto.debug

data/lib/otto/env_keys.rb

@@ -0,0 +1,114 @@
+# lib/otto/env_keys.rb
+#
+# Central registry of all env['otto.*'] keys used throughout Otto framework.
+# This documentation helps prevent key conflicts and aids multi-app integration.
+#
+# DOCUMENTATION-ONLY MODULE: The constants defined here are intentionally NOT used
+# in the codebase. Otto uses string literals (e.g., env['otto.strategy_result'])
+# for readibility/simplicity. This module exists as reference documentation but
+# may be considered for future use if needed.
+#
+class Otto
+  # Rack environment keys used by Otto framework
+  #
+  # All Otto-specific keys are namespaced under 'otto.*' to avoid conflicts
+  # with other Rack middleware or applications.
+  module EnvKeys
+    # =========================================================================
+    # ROUTING & REQUEST FLOW
+    # =========================================================================
+
+    # Route definition parsed from routes file
+    # Type: Otto::RouteDefinition
+    # Set by: Otto::Core::Router#parse_routes
+    # Used by: AuthenticationMiddleware, RouteHandlers, LogicClassHandler
+    ROUTE_DEFINITION = 'otto.route_definition'
+
+    # Route-specific options parsed from route string
+    # Type: Hash (e.g., { response: 'json', csrf: 'exempt', auth: 'authenticated' })
+    # Set by: Otto::RouteDefinition#initialize
+    # Used by: CSRFMiddleware, RouteHandlers
+    ROUTE_OPTIONS = 'otto.route_options'
+
+    # =========================================================================
+    # AUTHENTICATION & AUTHORIZATION
+    # =========================================================================
+
+    # Authentication strategy result containing session/user state
+    # Type: Otto::Security::Authentication::StrategyResult
+    # Set by: AuthenticationMiddleware
+    # Used by: RouteHandlers, LogicClasses, Controllers
+    # Note: Always present (anonymous or authenticated)
+    STRATEGY_RESULT = 'otto.strategy_result'
+
+    # Authenticated user object (convenience accessor)
+    # Type: Hash, Custom User Object, or nil
+    # Set by: AuthenticationMiddleware (from strategy_result.user)
+    # Used by: Controllers, RouteHandlers
+    USER = 'otto.user'
+
+    # User-specific context (session, roles, permissions, etc.)
+    # Type: Hash
+    # Set by: AuthenticationMiddleware (from strategy_result.user_context)
+    # Used by: Controllers, Analytics
+    USER_CONTEXT = 'otto.user_context'
+
+    # =========================================================================
+    # SECURITY & CONFIGURATION
+    # =========================================================================
+
+    # Security configuration object
+    # Type: Otto::Security::Config
+    # Set by: Otto#initialize, SecurityConfig
+    # Used by: All security middleware (CSRF, Headers, Validation)
+    SECURITY_CONFIG = 'otto.security_config'
+
+    # =========================================================================
+    # LOCALIZATION (I18N)
+    # =========================================================================
+
+    # Resolved locale for current request
+    # Type: String (e.g., 'en', 'es', 'fr')
+    # Set by: LocaleMiddleware
+    # Used by: RouteHandlers, LogicClasses, Views
+    LOCALE = 'otto.locale'
+
+    # Locale configuration object
+    # Type: Otto::LocaleConfig
+    # Set by: LocaleMiddleware
+    # Used by: Locale resolution logic
+    LOCALE_CONFIG = 'otto.locale_config'
+
+    # Available locales for the application
+    # Type: Array<String>
+    # Set by: LocaleConfig
+    # Used by: Locale middleware, language switchers
+    AVAILABLE_LOCALES = 'otto.available_locales'
+
+    # Default/fallback locale
+    # Type: String
+    # Set by: LocaleConfig
+    # Used by: Locale middleware when resolution fails
+    DEFAULT_LOCALE = 'otto.default_locale'
+
+    # =========================================================================
+    # ERROR HANDLING
+    # =========================================================================
+
+    # Unique error ID for tracking/logging
+    # Type: String (hex format, e.g., '4ac47cb3a6d177ef')
+    # Set by: ErrorHandler, RouteHandlers
+    # Used by: Error responses, logging, support
+    ERROR_ID = 'otto.error_id'
+
+    # =========================================================================
+    # MCP (MODEL CONTEXT PROTOCOL)
+    # =========================================================================
+
+    # MCP HTTP endpoint path
+    # Type: String (default: '/_mcp')
+    # Set by: Otto::MCP::Server#enable!
+    # Used by: MCP middleware, SchemaValidationMiddleware
+    MCP_HTTP_ENDPOINT = 'otto.mcp_http_endpoint'
+  end
+end

data/lib/otto/helpers/base.rb

@@ -5,26 +5,7 @@
 class Otto
   # Base helper methods providing core functionality for Otto applications
   module BaseHelpers
-    # Build application path by joining path segments
-    #
-    # This method safely joins multiple path segments, handling
-    # duplicate slashes and ensuring proper path formatting.
-    # Includes the script name (mount point) as the first segment.
-    #
-    # @param paths [Array<String>] Path segments to join
-    # @return [String] Properly formatted path
-    #
-    # @example
-    #   app_path('api', 'v1', 'users')
-    #   # => "/myapp/api/v1/users"
-    #
-    # @example
-    #   app_path(['admin', 'settings'])
-    #   # => "/myapp/admin/settings"
-    def app_path(*paths)
-      paths = paths.flatten.compact
-      paths.unshift(env['SCRIPT_NAME']) if env['SCRIPT_NAME']
-      paths.join('/').gsub('//', '/')
-    end
+    # Keep only truly context-independent shared functionality here
+    # Methods requiring env access should be implemented in the specific helper modules
   end
 end

data/lib/otto/helpers/response.rb

@@ -152,5 +152,27 @@ class Otto
       headers['expires']       = 'Mon, 7 Nov 2011 00:00:00 UTC'
       headers['pragma']        = 'no-cache'
     end
+
+    # Build application path by joining path segments
+    #
+    # This method safely joins multiple path segments, handling
+    # duplicate slashes and ensuring proper path formatting.
+    # Includes the script name (mount point) as the first segment.
+    #
+    # @param paths [Array<String>] Path segments to join
+    # @return [String] Properly formatted path
+    #
+    # @example
+    #   app_path('api', 'v1', 'users')
+    #   # => "/myapp/api/v1/users"
+    #
+    # @example
+    #   app_path(['admin', 'settings'])
+    #   # => "/myapp/admin/settings"
+    def app_path(*paths)
+      paths = paths.flatten.compact
+      paths.unshift(request.env['SCRIPT_NAME']) if request.env['SCRIPT_NAME']
+      paths.join('/').gsub('//', '/')
+    end
   end
 end

data/lib/otto/mcp/{validation.rb → schema_validation.rb}

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-# lib/otto/mcp/validation.rb
+# lib/otto/mcp/schema_validation.rb
 
 require 'json'
 
@@ -67,7 +67,8 @@ class Otto
     end
 
     # Middleware for validating MCP protocol requests using JSON schema
-    class ValidationMiddleware
+    # Validates JSON-RPC 2.0 structure and tool argument schemas
+    class SchemaValidationMiddleware
       def initialize(app, _security_config = nil)
         @app       = app
         @validator = Validator.new

data/lib/otto/mcp/server.rb

@@ -6,7 +6,7 @@ require_relative 'protocol'
 require_relative 'registry'
 require_relative 'route_parser'
 require_relative 'auth/token'
-require_relative 'validation'
+require_relative 'schema_validation'
 require_relative 'rate_limiting'
 
 class Otto
@@ -53,30 +53,43 @@ class Otto
       private
 
       def configure_middleware(_options)
-        # Configure middleware in security-optimal order:
-        # 1. Rate limiting (reject excessive requests early)
-        # 2. Authentication (validate credentials before parsing)
-        # 3. Validation (expensive JSON schema validation last)
+        # Configure middleware in security-optimal order using explicit positioning:
+        # 1. Rate limiting (reject excessive requests early) - position: :first
+        # 2. Authentication (validate credentials before parsing) - default append
+        # 3. Validation (expensive JSON schema validation last) - position: :last
 
-        # Configure rate limiting first
+        middleware = @otto_instance.instance_variable_get(:@middleware)
+
+        # Configure rate limiting first (explicit position for clarity)
         if @enable_rate_limiting
-          @otto_instance.use Otto::MCP::RateLimitMiddleware, @otto_instance.security_config
-          Otto.logger.debug '[MCP] Rate limiting enabled' if Otto.debug
+          middleware.add_with_position(
+            Otto::MCP::RateLimitMiddleware,
+            @otto_instance.security_config,
+            position: :first
+          )
+          Otto.logger.debug '[MCP] Rate limiting enabled (position: first)' if Otto.debug
         end
 
-        # Configure authentication second
+        # Configure authentication second (default append order)
         if @auth_tokens.any?
-          @auth                                   = Otto::MCP::Auth::TokenAuth.new(@auth_tokens)
+          @auth = Otto::MCP::Auth::TokenAuth.new(@auth_tokens)
           @otto_instance.security_config.mcp_auth = @auth
           @otto_instance.use Otto::MCP::Auth::TokenMiddleware
           Otto.logger.debug '[MCP] Token authentication enabled' if Otto.debug
         end
 
-        # Configure validation last (most expensive)
+        # Configure validation last (explicit position for clarity)
         return unless @enable_validation
 
-        @otto_instance.use Otto::MCP::ValidationMiddleware
-        Otto.logger.debug '[MCP] Request validation enabled' if Otto.debug
+        middleware.add_with_position(
+          Otto::MCP::SchemaValidationMiddleware,
+          position: :last
+        )
+        Otto.logger.debug '[MCP] Schema validation enabled (position: last)' if Otto.debug
+
+        # Validate middleware order (should pass with explicit positioning)
+        warnings = middleware.validate_mcp_middleware_order
+        warnings.each { |warning| Otto.logger.warn warning }
       end
 
       def add_mcp_endpoint_route

data/lib/otto/response_handlers/json.rb

@@ -7,6 +7,12 @@ class Otto
     # Handler for JSON responses
     class JSONHandler < BaseHandler
       def self.handle(result, response, context = {})
+        # If a redirect has already been set, don't override with JSON
+        # This allows controllers to conditionally redirect based on Accept header
+        if response.status&.between?(300, 399) && response['Location']
+          return
+        end
+
         response['Content-Type'] = 'application/json'
 
         # Determine the data to serialize

data/lib/otto/route.rb

@@ -45,10 +45,10 @@ class Otto
     #     "V2::Logic::AuthSession auth=authenticated response=redirect" (enhanced)
     # @raise [ArgumentError] if definition format is invalid or class name is unsafe
     def initialize(verb, path, definition)
-      @pattern, @keys = *compile(path)
+      pattern, keys = *compile(path)
 
       # Create immutable route definition
-      @route_definition = Otto::RouteDefinition.new(verb, path, definition, pattern: @pattern, keys: @keys)
+      @route_definition = Otto::RouteDefinition.new(verb, path, definition, pattern: pattern, keys: keys)
 
       # Resolve the class
       @klass = safe_const_get(@route_definition.klass_name)
@@ -87,52 +87,6 @@ class Otto
       @route_definition.options
     end
 
-    private
-
-    # Safely resolve a class name using Object.const_get with security validations
-    # This replaces the previous eval() usage to prevent code injection attacks.
-    #
-    # Security features:
-    # - Validates class name format (must start with capital letter)
-    # - Prevents access to dangerous system classes
-    # - Blocks relative class references (starting with ::)
-    # - Provides clear error messages for debugging
-    #
-    # @param class_name [String] The class name to resolve
-    # @return [Class] The resolved class
-    # @raise [ArgumentError] if class name is invalid, forbidden, or not found
-    def safe_const_get(class_name)
-      # Validate class name format
-      unless class_name.match?(/\A[A-Z][a-zA-Z0-9_]*(?:::[A-Z][a-zA-Z0-9_]*)*\z/)
-        raise ArgumentError, "Invalid class name format: #{class_name}"
-      end
-
-      # Prevent dangerous class names
-      forbidden_classes = %w[
-        Kernel Module Class Object BasicObject
-        File Dir IO Process System
-        Binding Proc Method UnboundMethod
-        Thread ThreadGroup Fiber
-        ObjectSpace GC
-      ]
-
-      if forbidden_classes.include?(class_name) || class_name.start_with?('::')
-        raise ArgumentError, "Forbidden class name: #{class_name}"
-      end
-
-      begin
-        Object.const_get(class_name)
-      rescue NameError => e
-        raise ArgumentError, "Class not found: #{class_name} - #{e.message}"
-      end
-    end
-
-    public
-
-    def pattern_regexp
-      Regexp.new(@path.gsub('/*', '/.+'))
-    end
-
     # Execute the route by calling the associated class method
     #
     # This method handles the complete request/response cycle with built-in security:
@@ -218,6 +172,48 @@ class Otto
 
     private
 
+    # Safely resolve a class name using Object.const_get with security validations
+    # This replaces the previous eval() usage to prevent code injection attacks.
+    #
+    # Security features:
+    # - Validates class name format (must start with capital letter)
+    # - Prevents access to dangerous system classes
+    # - Blocks relative class references (starting with ::)
+    # - Provides clear error messages for debugging
+    #
+    # @param class_name [String] The class name to resolve
+    # @return [Class] The resolved class
+    # @raise [ArgumentError] if class name is invalid, forbidden, or not found
+    def safe_const_get(class_name)
+      # Validate class name format
+      unless class_name.match?(/\A[A-Z][a-zA-Z0-9_]*(?:::[A-Z][a-zA-Z0-9_]*)*\z/)
+        raise ArgumentError, "Invalid class name format: #{class_name}"
+      end
+
+      # Remove any leading :: then add exactly one
+      fq_class_name = "::#{class_name.sub(/^::+/, '')}"
+
+      # Prevent dangerous class names
+      forbidden_classes = %w[
+        Kernel Module Class Object BasicObject
+        File Dir IO Process System
+        Binding Proc Method UnboundMethod
+        Thread ThreadGroup Fiber
+        ObjectSpace GC
+      ]
+
+      if forbidden_classes.include?(class_name) || class_name.start_with?('::')
+        raise ArgumentError, "Forbidden class name: #{class_name}"
+      end
+
+      begin
+        # Always guarantee exactly two leading colons
+        Object.const_get(fq_class_name)
+      rescue NameError => e
+        raise ArgumentError, "Class not found: #{fq_class_name} - #{e.message}"
+      end
+    end
+
     def compile(path)
       keys = []
 

data/lib/otto/route_handlers/factory.rb

@@ -13,16 +13,29 @@ class Otto
       # @param otto_instance [Otto] The Otto instance for configuration access
       # @return [BaseHandler] Appropriate handler for the route
       def self.create_handler(route_definition, otto_instance = nil)
-        case route_definition.kind
-        when :logic
-          LogicClassHandler.new(route_definition, otto_instance)
-        when :instance
-          InstanceMethodHandler.new(route_definition, otto_instance)
-        when :class
-          ClassMethodHandler.new(route_definition, otto_instance)
-        else
-          raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
+        # Create base handler based on route kind
+        handler = case route_definition.kind
+                  when :logic
+                    LogicClassHandler.new(route_definition, otto_instance)
+                  when :instance
+                    InstanceMethodHandler.new(route_definition, otto_instance)
+                  when :class
+                    ClassMethodHandler.new(route_definition, otto_instance)
+                  else
+                    raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
+                  end
+
+        # Wrap with auth enforcement if route has auth requirement
+        if route_definition.auth_requirement && otto_instance&.auth_config
+          require_relative '../security/authentication/route_auth_wrapper'
+          handler = Otto::Security::Authentication::RouteAuthWrapper.new(
+            handler,
+            route_definition,
+            otto_instance.auth_config
+          )
         end
+
+        handler
       end
     end
   end

data/lib/otto/security/authentication/authentication_middleware.rb

@@ -2,7 +2,8 @@
 
 require_relative 'strategy_result'
 require_relative 'failure_result'
-require_relative 'strategies/public_strategy'
+require_relative 'route_auth_wrapper'
+require_relative 'strategies/noauth_strategy'
 require_relative 'strategies/role_strategy'
 require_relative 'strategies/permission_strategy'
 
@@ -16,10 +17,10 @@ class Otto
           @security_config = security_config
           @config = config
           @strategies = config[:auth_strategies] || {}
-          @default_strategy = config[:default_auth_strategy] || 'publicly'
+          @default_strategy = config[:default_auth_strategy] || 'noauth'
 
-          # Add default public strategy if not provided
-          @strategies['publicly'] ||= Strategies::PublicStrategy.new
+          # Add default noauth strategy if not provided
+          @strategies['noauth'] ||= Strategies::NoAuthStrategy.new
         end
 
         def call(env)
@@ -51,15 +52,10 @@ class Otto
           # Perform authentication
           strategy_result = strategy.authenticate(env, auth_requirement)
 
-          if strategy_result&.success?
-            # Success - store the strategy result directly
-            env['otto.strategy_result'] = strategy_result
-            env['otto.user'] = strategy_result.user # For convenience
-            env['otto.user_context'] = strategy_result.user_context # For convenience
-            @app.call(env)
-          else
+          # Check result type: FailureResult indicates auth failure, StrategyResult indicates success
+          if strategy_result.is_a?(Otto::Security::Authentication::FailureResult)
             # Failure - create anonymous result with failure info
-            failure_reason = strategy_result&.failure_reason || 'Authentication failed'
+            failure_reason = strategy_result.failure_reason || 'Authentication failed'
             env['otto.strategy_result'] = Otto::Security::Authentication::StrategyResult.anonymous(
               metadata: {
                 ip: env['REMOTE_ADDR'],
@@ -68,6 +64,23 @@ class Otto
               }
             )
             auth_error_response(failure_reason)
+          else
+            # Success - store the strategy result directly
+            env['otto.strategy_result'] = strategy_result
+
+            # SESSION PERSISTENCE: This assignment is INTENTIONAL, not a merge operation.
+            # We must ensure env['rack.session'] and strategy_result.session reference
+            # the SAME object so that:
+            #   1. Logic classes write to strategy_result.session
+            #   2. Rack's session middleware persists env['rack.session']
+            #   3. Changes from (1) are included in (2)
+            #
+            # Using merge! instead would break this - the objects must be identical.
+            # See commit ed7fa0d for the bug this fixes.
+            env['rack.session'] = strategy_result.session if strategy_result.session
+            env['otto.user'] = strategy_result.user # For convenience
+            env['otto.user_context'] = strategy_result.user_context # For convenience
+            @app.call(env)
           end
         end
 
@@ -109,6 +122,10 @@ class Otto
           }
 
           # Add security headers if available from config hash or Otto instance
+          # NOTE: Extracting this to a method was considered but rejected.
+          # This logic appears only once and is clear in context. Extraction would
+          # add ~10 lines (method def + docs) for a 5-line single-use block without
+          # improving readability. Consider extracting if this pattern is duplicated.
           if @config.is_a?(Hash) && @config[:security_headers]
             headers.merge!(@config[:security_headers])
           elsif @config.respond_to?(:security_config) && @config.security_config