diff --git a/src/lib/security/config.test.ts b/src/lib/security/config.test.ts
new file mode 100644
index 0000000..d20a516
--- /dev/null
+++ b/src/lib/security/config.test.ts
@@ -0,0 +1,23 @@
+import { getSecurityConfig, validateSecurityConfig } from './config';
+
+describe('Security Config', () => {
+  test('should return default security configuration', () => {
+    const config = getSecurityConfig();
+    expect(config).toBeDefined();
+    expect(config.rateLimit.ip.maxRequests).toBe(10);
+    expect(config.rateLimit.ip.windowMinutes).toBe(60);
+    expect(config.captcha.complexity).toBe('medium');
+  });
+
+  test('should validate security config structure', () => {
+    const config = getSecurityConfig();
+    const isValid = validateSecurityConfig(config);
+    expect(isValid).toBe(true);
+  });
+
+  test('should reject invalid config', () => {
+    const invalidConfig = { rateLimit: { ip: { maxRequests: -1 } } };
+    const isValid = validateSecurityConfig(invalidConfig);
+    expect(isValid).toBe(false);
+  });
+});
diff --git a/src/lib/security/config.ts b/src/lib/security/config.ts
new file mode 100644
index 0000000..600a45c
--- /dev/null
+++ b/src/lib/security/config.ts
@@ -0,0 +1,77 @@
+export interface SecurityConfig {
+  captcha: {
+    complexity: 'simple' | 'medium' | 'complex';
+    expiryMinutes: number;
+    maxAttempts: number;
+  };
+  rateLimit: {
+    ip: {
+      maxRequests: number;
+      windowMinutes: number;
+    };
+    email: {
+      maxRequests: number;
+      windowHours: number;
+    };
+    global: {
+      maxRequests: number;
+      windowMinutes: number;
+    };
+  };
+  protection: {
+    enableCSRF: boolean;
+    enableInputSanitization: boolean;
+    enableBehaviorDetection: boolean;
+    blockSuspiciousIPs: boolean;
+  };
+  logging: {
+    enableSecurityLogs: boolean;
+    logRetentionDays: number;
+    alertThreshold: number;
+  };
+}
+
+const defaultConfig: SecurityConfig = {
+  captcha: {
+    complexity: 'medium',
+    expiryMinutes: 5,
+    maxAttempts: 3,
+  },
+  rateLimit: {
+    ip: {
+      maxRequests: 10,
+      windowMinutes: 60,
+    },
+    email: {
+      maxRequests: 3,
+      windowHours: 24,
+    },
+    global: {
+      maxRequests: 50,
+      windowMinutes: 1,
+    },
+  },
+  protection: {
+    enableCSRF: true,
+    enableInputSanitization: true,
+    enableBehaviorDetection: true,
+    blockSuspiciousIPs: true,
+  },
+  logging: {
+    enableSecurityLogs: true,
+    logRetentionDays: 30,
+    alertThreshold: 5,
+  },
+};
+
+export function getSecurityConfig(): SecurityConfig {
+  return { ...defaultConfig };
+}
+
+export function validateSecurityConfig(config: any): boolean {
+  if (!config || typeof config !== 'object') return false;
+  if (!config.rateLimit || !config.captcha || !config.protection) return false;
+  if (config.rateLimit.ip?.maxRequests < 0) return false;
+  if (config.captcha.expiryMinutes <= 0) return false;
+  return true;
+}