http4k Enterprise Edition
The http4k Enterprise Edition (EE) subscription delivers long-term stability and support for organisations running critical production workloads using http4k technologies.
At a Glance#
| Feature | Community Edition | Enterprise Edition |
|---|---|---|
| Minimum Java version | Java 21 | Java 8 (v4/5), Java 21 (v6) |
| License | Apache 2 | http4k Commercial |
| Supported http4k versions | v6 | v4/5/6 |
| Source code access | ✓http4k GitHub | ✓Private LTS GitHub (v4/5) |
| Supply chain security | ✕ | ✓SLSA L2/L3, SBOMs, Cosign |
| Build-time verification | ✕ | ✓Gradle plugin |
| License reporting | ✕ | ✓Signed, per module |
| Priority updates | ✕ | ✓Security patches, bug fixes |
| Dedicated support | ✕ | ✓Email, Private Slack |
| http4k Pro modules | ✕ | ✓Details |
| Guaranteed support term | ✕ | ✓up to 24 months |
In detail#
Supply Chain Security#
From September 2026, the EU Cyber Resilience Act requires verifiable provenance and machine-readable SBOMs for every component shipped in software sold into Europe. US Executive Order 14028, NIST SSDF and PCI DSS 4.0 push in the same direction. http4k Enterprise Edition delivers this today: every artifact ships with SLSA Level 2 provenance, CycloneDX SBOMs, signed licence compliance reports and cosign signatures with trusted timestamps from the Sigstore Timestamp Authority. SLSA Level 3 provenance is available on request for organisations with enhanced compliance requirements.
The http4k Verify Gradle plugin automates build-time verification of all of the above. One line of build config validates signatures, SBOMs and provenance for every http4k dependency - automatically, before your code compiles - so the assurance is captured at build time rather than chased down at audit time. Learn more about Supply Chain Security.
Compliance at a glance#
| Framework | Status | What http4k EE provides |
|---|---|---|
| EU Cyber Resilience Act | Mandatory from September 2026 | CycloneDX SBOMs, SLSA provenance, signed artifacts, vulnerability handling |
| US Executive Order 14028 | Active | SBOM generation and supply chain attestation for federal procurement |
| NIST SSDF (PS.3 / PW.4) | Active | Secure development practices, provenance, third-party component verification |
| PCI DSS 4.0 | Active | Supply chain integrity controls and verifiable artifact evidence for audit |
See Supply Chain Security for the full technical detail.
Long Term Support#
Enjoy peace-of-mind with Long-Term Support (LTS) versions of http4k. Our LTS version provides up to 24 months of guaranteed security patches and high priority updates for a stable release, ensuring your projects remain secure and fully functional. Additionally, our priority support channel also extend up to 24 months, meaning http4k EE LTS is your key to maintaining focus on feature delivery while ensuring your http4k applications are future-proof.
Pro Modules#
A growing collection of commercially licensed, battle-tested modules built from years of successfully delivering complex systems with http4k. These expert-designed extensions reflect real-world requirements and enterprise patterns, available from Maven Central. See what’s available.
Priority Support#
Access expert guidance and priority support directly from the creators and maintainers of http4k. With dedicated channels, including email and Slack, you’ll get fast resolution to any issues or questions, backed by our deep knowledge of the http4k ecosystem. Whether it’s compatibility updates or bug fixes, our team ensures that your http4k deployment remains fully integrated with the broader Kotlin and JVM environments.
Additionally, http4k EE offers transparency with full access to the codebase and rapid integration of community-driven improvements. Built under a permissive Apache2 license, you can rest assured that your applications comply with industry standards while enjoying the reliability and accountability that http4k EE LTS support provides. Get in touch to learn more about how http4k EE LTS can stabilize your development process for the long term.
http4k EE Timeline#
The timeline for http4k EE’s LTS has been designed to strike a balance between a generous open source period and the need for us to take advantage for new language features available in the JDK. We are also committed to providing support using a predictable timeline for our LTS customers, which is synchronized with the official JDK release and support cycle of LTS versions (currently every 2 years), but offset by a 3 month window. To put that more visually, this is the timeline for current and future Java LTS releases:
Based on the above, the current plan is for future major http4k versions to have the following Community and Enterprise Edition (LTS) schedule:
In the case of an intermediate major version upgrade between JDK versions, the previous major version will also immediately start a 24 month support window to ensure that customers have a smooth upgrade path.
If you have any questions about the http4k EE subscription, or long-term support requirements outside of the above schedule, please get in touch using the below contact link and we will endeavour to assist.
Up to 24 months peace of mind
Guaranteed security and bug updates for the LTS stable release channel, allowing you to focus on feature delivery.
Access to priority support
The http4k team are here on Slack and Email to guide you through any issues or questions.
Source code access
Full access to the LTS editions of the http4k codebase for transparency and auditing.
License reporting
Signed, per-module license reports delivered with every artifact - ready for audit and regulatory review.
Supply chain security
SLSA Level 2 provenance, signed SBOMs, and cosign signatures for every artifact - compliance-ready out of the box.
Pro modules
A growing collection of commercially licensed, battle-tested modules built from real-world enterprise delivery.
