Long-term support, supply-chain security, priority help from the people who actually wrote the code, and every Pro module - one subscription for teams running http4k where it really counts.
Guaranteed security and bug updates for the LTS stable release channel, allowing you to focus on feature delivery.
The http4k team are here on Slack and Email to guide you through any issues or questions.
Full access to the LTS editions of the http4k codebase for transparency and auditing.
Signed, per-module license reports delivered with every artifact - ready for audit and regulatory review.
SLSA Level 2 provenance, signed SBOMs, and cosign signatures for every artifact - compliance-ready out of the box.
A growing collection of commercially licensed, battle-tested modules built from real-world enterprise delivery.
From September 2026, the EU Cyber Resilience Act requires verifiable provenance and machine-readable SBOMs for every component sold into Europe. US Executive Order 14028, NIST SSDF and PCI DSS 4.0 push in the same direction. http4k Enterprise Edition delivers it today.
Tamper-evident build provenance on every artifact. SLSA L3 on request.
Machine-readable software bills of materials, signed.
Per-module licence compliance reports, audit-ready.
Cosign signatures with trusted Sigstore timestamps.
| Framework | Status | What http4k EE provides |
|---|---|---|
| EU Cyber Resilience Act | Mandatory from September 2026 | CycloneDX SBOMs, SLSA provenance, signed artifacts, vulnerability handling |
| US Executive Order 14028 | Active | SBOM generation and supply chain attestation for federal procurement |
| NIST SSDF (PS.3 / PW.4) | Active | Secure development practices, provenance, third-party component verification |
| PCI DSS 4.0 | Active | Supply chain integrity controls and verifiable artifact evidence for audit |
http4k Verify - one line of build config validates signatures, SBOMs and provenance for every http4k dependency, automatically, before your code compiles.
Explore Verify →| CommunityFree · Apache 2.0 | ProPer module / seat | EnterpriseSubscription | |
|---|---|---|---|
| Full open-source core | ✓ | ✓ | ✓ |
| Supported http4k versions | v6 | v6 | v4, v5, v6 |
| Minimum Java version | Java 21 | Java 21 | Java 8 (v4/5), 21 (v6) |
| Pro modules | - | A la carte | ✓ all |
| Supply chain & license provenance, Verify plugin | - | - | ✓ |
| Priority support | GitHub issues | GitHub issues | ✓ Slack, Email |
| Guaranteed support term | - | - | ✓ up to 24 months |
| Source code access | Public | Public | ✓ + private LTS |
| Get started → | View Pro → | Talk to us → |
Major versions track the JDK's two-year LTS cycle. As each new Community major ships, the previous one rolls into a 24-month Enterprise LTS programme - so you upgrade on your schedule, not ours.
Tell us about your stack and compliance needs and we'll tailor a subscription - including LTS timelines outside the standard schedule.
