pb33f · daveshanley · Dec 31, 2025 · Dec 31, 2025 · Dec 31, 2025 · Dec 31, 2025
diff --git a/cmd/root_command.go b/cmd/root_command.go
@@ -94,6 +94,7 @@ var (
 			hardErrorReturnCode, _ = cmd.Flags().GetInt("hard-validation-return-code")
 			streamReport, _ := cmd.Flags().GetBool("stream-report")
 			strictRedirectLocation, _ := cmd.Flags().GetBool("strict-redirect-location")
+			strictMode, _ := cmd.Flags().GetBool("strict-mode")
 
 			portFlag, _ := cmd.Flags().GetString("port")
 			if portFlag != "" {
@@ -230,6 +231,11 @@ var (
 						config.StrictRedirectLocation = true
 					}
 				}
+				if strictMode {
+					if !config.StrictMode {
+						config.StrictMode = true
+					}
+				}
 
 				if reportFilename != "" {
 					config.ReportFile = reportFilename
@@ -269,6 +275,9 @@ var (
 				if strictRedirectLocation {
 					config.StrictRedirectLocation = true
 				}
+				if strictMode {
+					config.StrictMode = true
+				}
 				if base != "" {
 					config.Base = base
 				}
@@ -492,6 +501,13 @@ var (
 				pterm.Println()
 			}
 
+			// strict mode
+			if config.StrictMode {
+				pterm.Printf("🔬 %s. Undeclared properties, parameters, headers, and cookies will be reported as validation errors.\n",
+					pterm.LightCyan("Strict validation mode enabled"))
+				pterm.Println()
+			}
+
 			// using TLS?
 			if config.CertificateKey != "" && config.Certificate != "" {
 				pterm.Printf("🔐 Running over %s using certificate: %s and key: %s\n",
@@ -759,6 +775,7 @@ func Execute(version, commit, date string, fs embed.FS) {
 	rootCmd.Flags().StringP("report-filename", "f", "wiretap-report.json", "Filename for any headless report generation output")
 	rootCmd.Flags().BoolP("stream-report", "a", false, "Stream violations to report JSON file as they occur (headless mode)")
 	rootCmd.Flags().BoolP("strict-redirect-location", "r", false, "Rewrite the redirect `Location` header on redirect responses to wiretap's API Gateway Host")
+	rootCmd.Flags().Bool("strict-mode", false, "Enable strict validation to detect undeclared properties, parameters, headers, and cookies")
 
 	if err := rootCmd.Execute(); err != nil {
 		os.Exit(1)

diff --git a/daemon/wiretap_service.go b/daemon/wiretap_service.go
@@ -73,17 +73,17 @@ func NewWiretapService(documents []shared.ApiDocument, config *shared.WiretapCon
 		m, _ := document.Document.BuildV3Model()
 		docModel := &m.Model
 
-		// create a new validator
-		newHttpValidator := validation.NewHttpValidator(docModel)
-		// create a new mock engine
-		newMockEngine := mock.NewMockEngine(docModel, config.MockModePretty, config.UseAllMockResponseFields)
-
 		wts.documentValidators = append(wts.documentValidators, documentValidator{
 			documentName: document.DocumentName,
 			document:     document.Document,
 			docModel:     docModel,
-			validator:    newHttpValidator,
-			mockEngine:   newMockEngine,
+			validator:    validation.NewHttpValidatorWithConfig(docModel, config.StrictMode),
+			mockEngine: mock.NewMockEngineWithConfig(
+				docModel,
+				config.MockModePretty,
+				config.UseAllMockResponseFields,
+				config.StrictMode,
+				config.HardErrors),
 		})
 	}
 

diff --git a/go.mod b/go.mod
@@ -4,24 +4,27 @@ go 1.25.0
 
 require (
 	github.com/google/uuid v1.6.0
-	github.com/lucasjones/reggen v0.0.0-20200904144131-37ba4fa293bb // indirect
 	github.com/pb33f/harhar v0.0.0-20250707194835-e48f2c16e9c3
-	github.com/pb33f/libopenapi v0.30.3
-	github.com/pb33f/libopenapi-validator v0.9.4
+	github.com/pb33f/libopenapi v0.31.1
+	github.com/pb33f/libopenapi-validator v0.10.1
 	github.com/pb33f/ranch v0.6.0
 	github.com/pterm/pterm v0.12.82
-	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
 )
 
 require (
 	atomicgo.dev/cursor v0.2.0 // indirect
 	atomicgo.dev/keyboard v0.2.9 // indirect
 	atomicgo.dev/schedule v0.1.0 // indirect
 	github.com/bahlo/generic-list-go v0.2.0 // indirect
+	github.com/basgys/goxml2json v1.1.1-0.20231018121955-e66ee54ceaad // indirect
 	github.com/buger/jsonparser v1.1.1 // indirect
+	github.com/clipperhouse/stringish v0.1.1 // indirect
+	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
 	github.com/containerd/console v1.0.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/fatih/color v1.18.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.9.0
 	github.com/go-stomp/stomp/v3 v3.1.3 // indirect
 	github.com/gobwas/glob v0.2.3
 	github.com/gookit/color v1.6.0 // indirect
@@ -30,17 +33,25 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/json-iterator/go v1.1.12
 	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
+	github.com/lucasjones/reggen v0.0.0-20200904144131-37ba4fa293bb // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.19 // indirect
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pb33f/jsonpath v0.7.0 // indirect
+	github.com/pb33f/ordered-map/v2 v2.3.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/cobra v1.10.2
@@ -49,31 +60,15 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	go.uber.org/multierr v1.9.0 // indirect
+	go.yaml.in/yaml/v4 v4.0.0-rc.3
+	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 // indirect
 	golang.org/x/net v0.48.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/term v0.38.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
-
-require (
-	github.com/fsnotify/fsnotify v1.9.0
-	github.com/json-iterator/go v1.1.12
-	go.yaml.in/yaml/v4 v4.0.0-rc.3
-)
-
-require (
-	github.com/basgys/goxml2json v1.1.1-0.20231018121955-e66ee54ceaad // indirect
-	github.com/clipperhouse/stringish v0.1.1 // indirect
-	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
-	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/pb33f/jsonpath v0.7.0 // indirect
-	github.com/pb33f/ordered-map/v2 v2.3.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
-	github.com/sagikazarmark/locafero v0.6.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
-)
diff --git a/go.sum b/go.sum
@@ -113,10 +113,10 @@ github.com/pb33f/harhar v0.0.0-20250707194835-e48f2c16e9c3 h1:kDdCUiwo/THbsEL5wv
 github.com/pb33f/harhar v0.0.0-20250707194835-e48f2c16e9c3/go.mod h1:sJHiXr/Rdkg2j8P5FYGEcqPP1ptdk8zn6xeJ3aZfAvw=
 github.com/pb33f/jsonpath v0.7.0 h1:3oG6yu1RqNoMZpqnRjBMqi8fSIXWoDAKDrsB0QGTcoU=
 github.com/pb33f/jsonpath v0.7.0/go.mod h1:/+JlSIjWA2ijMVYGJ3IQPF4Q1nLMYbUTYNdk0exCDPQ=
-github.com/pb33f/libopenapi v0.30.3 h1:MhZx2mU53LVq76TTtbtxzuuC1Z4eczlot55yE4FsGGM=
-github.com/pb33f/libopenapi v0.30.3/go.mod h1:4MP76dnaTMY+DM+bRhKBneAIhVISEEZM6G6sd7A9pus=
-github.com/pb33f/libopenapi-validator v0.9.4 h1:cplXfKjCiNv7zD947URP+CFFHaA8LjRJ0RV4cb/sB38=
-github.com/pb33f/libopenapi-validator v0.9.4/go.mod h1:Ew29zgM7t1XqeAjpuktdjPjYbBWaw6joe64sak3ARHQ=
+github.com/pb33f/libopenapi v0.31.1 h1:smGr45U2Y+hHWYKiEV13oS2tP9IUnscqNb5qsvT9+YI=
+github.com/pb33f/libopenapi v0.31.1/go.mod h1:oaebeA5l58AFbZ7qRKTtMnu15JEiPlaBas1vLDcw9vs=
+github.com/pb33f/libopenapi-validator v0.10.1 h1:YBXOl0eFQ9u0PhUdgZuXMalCXSJA8hxIs5oXCXF6sG4=
+github.com/pb33f/libopenapi-validator v0.10.1/go.mod h1:hW3wIpg4YCxLrJxyTrfrzP9Mtt9FvbD/nm0yemUcjSs=
 github.com/pb33f/ordered-map/v2 v2.3.0 h1:k2OhVEQkhTCQMhAicQ3Z6iInzoZNQ7L9MVomwKBZ5WQ=
 github.com/pb33f/ordered-map/v2 v2.3.0/go.mod h1:oe5ue+6ZNhy7QN9cPZvPA23Hx0vMHnNVeMg4fGdCANw=
 github.com/pb33f/ranch v0.6.0 h1:W+um1FhYpfokWI+h+0NdwUuvw3uOl22+JnclHNI0Pm8=
@@ -206,6 +206,8 @@ golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=

diff --git a/har/validate_har.go b/har/validate_har.go
@@ -31,12 +31,11 @@ func ValidateHAR(har *harhar.HAR, apiDocumentModels []shared.ApiDocumentModel, c
 	validators := make([]harValidator, 0)
 
 	for _, apiDocumentModel := range apiDocumentModels {
-		newHarValidator := harValidator{
+		validators = append(validators, harValidator{
 			documentName: apiDocumentModel.DocumentName,
 			docModel:     apiDocumentModel.DocumentModel,
-			validator:    validation.NewHttpValidator(&apiDocumentModel.DocumentModel.Model),
-		}
-		validators = append(validators, newHarValidator)
+			validator:    validation.NewHttpValidatorWithConfig(&apiDocumentModel.DocumentModel.Model, configFile.StrictMode),
+		})
 	}
 
 	for _, entry := range har.Log.Entries {

diff --git a/mock/mock_engine.go b/mock/mock_engine.go
@@ -22,11 +22,12 @@ import (
 )
 
 type ResponseMockEngine struct {
-	doc        *v3.Document
-	validator  validation.HttpValidator
-	mockEngine *renderer.MockGenerator
-	pretty     bool
-	regexCache *sync.Map
+	doc            *v3.Document
+	validator      validation.HttpValidator
+	mockEngine     *renderer.MockGenerator
+	pretty         bool
+	regexCache     *sync.Map
+	hardValidation bool // when true, reject requests with validation errors
 }
 
 func NewMockEngine(document *v3.Document, pretty, useAllPropertyExamples bool) *ResponseMockEngine {
@@ -40,14 +41,52 @@ func NewMockEngine(document *v3.Document, pretty, useAllPropertyExamples bool) *
 	}
 
 	return &ResponseMockEngine{
-		doc:        document,
-		validator:  validation.NewHttpValidator(document),
-		mockEngine: me,
-		pretty:     pretty,
-		regexCache: &sync.Map{},
+		doc:            document,
+		validator:      validation.NewHttpValidator(document),
+		mockEngine:     me,
+		pretty:         pretty,
+		regexCache:     &sync.Map{},
+		hardValidation: true, // default to rejecting on validation errors for backward compatibility
 	}
 }
 
+// NewStrictMockEngine creates a mock engine with strict validation enabled.
+// Strict mode detects undeclared properties, parameters, headers, and cookies in requests.
+func NewStrictMockEngine(document *v3.Document, pretty, useAllPropertyExamples bool) *ResponseMockEngine {
+	me := renderer.NewMockGenerator(renderer.JSON)
+	if pretty {
+		me.SetPretty()
+	}
+
+	if useAllPropertyExamples {
+		me.DisableRequiredCheck()
+	}
+
+	return &ResponseMockEngine{
+		doc:            document,
+		validator:      validation.NewStrictHttpValidator(document),
+		mockEngine:     me,
+		pretty:         pretty,
+		regexCache:     &sync.Map{},
+		hardValidation: true, // default to rejecting on validation errors for backward compatibility
+	}
+}
+
+// NewMockEngineWithConfig creates a mock engine based on configuration.
+// When strictMode is true, undeclared request elements are validated strictly.
+// When hardValidation is true, requests with validation errors are rejected with 422.
+// When hardValidation is false, validation errors are reported but mocks are still served.
+func NewMockEngineWithConfig(document *v3.Document, pretty, useAllPropertyExamples, strictMode, hardValidation bool) *ResponseMockEngine {
+	var engine *ResponseMockEngine
+	if strictMode {
+		engine = NewStrictMockEngine(document, pretty, useAllPropertyExamples)
+	} else {
+		engine = NewMockEngine(document, pretty, useAllPropertyExamples)
+	}
+	engine.hardValidation = hardValidation
+	return engine
+}
+
 func (rme *ResponseMockEngine) GenerateResponse(request *http.Request) ([]byte, int, error) {
 	return rme.runWorkflow(request)
 }
@@ -289,8 +328,11 @@ func (rme *ResponseMockEngine) runWorkflow(request *http.Request) ([]byte, int,
 	}
 
 	// validate the request against the document.
+	// Only reject with error response if hardValidation is enabled.
+	// When hardValidation is false, validation errors are reported separately via the daemon,
+	// but the mock is still served to allow development/testing workflows.
 	_, validationErrors := rme.validator.ValidateHttpRequest(request)
-	if len(validationErrors) > 0 {
+	if rme.hardValidation && len(validationErrors) > 0 {
 		mt, _ := rme.findBestMediaTypeMatch(operation, request, []string{"422", "400"})
 		if mt == nil {
 			// no default, no valid response, inform use with a 500