Change domain validation default from monitor to enabled

[Linker44]

Ticket [ENG-]

Description Of Changes

Changes the default enforcement level of FIDES__SECURITY__DOMAIN_VALIDATION_MODE from monitor to enabled. After the burn-in period, domain validation now actively blocks disallowed domains instead of only logging warnings.

To revert to the previous behavior, explicitly set:

FIDES__SECURITY__DOMAIN_VALIDATION_MODE=monitor

Code Changes

• Changed the default value of domain_validation_mode in SecuritySettings from monitor to enabled
• Updated the function parameter default in validate_value_against_allowed_list to match

Steps to Confirm

1. Start the application without setting FIDES__SECURITY__DOMAIN_VALIDATION_MODE
2. Configure a SaaS connector with a domain not in the allowed list
3. Confirm the request is blocked with a DomainValidationError
4. Set FIDES__SECURITY__DOMAIN_VALIDATION_MODE=monitor and confirm requests are only warned, not blocked
5. Set FIDES__SECURITY__DOMAIN_VALIDATION_MODE=disabled and confirm validation is skipped entirely

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	May 8, 2026 1:37pm
fides-privacy-center	Ignored		May 8, 2026 1:37pm

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.23%. Comparing base (292d8b2) to head (23eb96e).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8141   +/-   ##
=======================================
  Coverage   85.23%   85.23%           
=======================================
  Files         638      638           
  Lines       42011    42011           
  Branches     4937     4937           
=======================================
+ Hits        35807    35808    +1     
  Misses       5096     5096           
+ Partials     1108     1107    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Vagoasdf]

Approved! We should still warn the FDE team when we are merging /releasing this one