diff --git a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
index 62755d28277..ed5adb81216 100644
--- a/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
+++ b/java/ql/lib/semmle/code/java/security/RequestForgeryConfig.qll
@@ -35,7 +35,7 @@ deprecated class RequestForgeryConfiguration extends TaintTracking::Configuratio
 /**
  * A taint-tracking configuration characterising request-forgery risks.
  */
-module RequestForgeryConfiguration implements DataFlow::ConfigSig {
+private module RequestForgeryConfiguration implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source instanceof RemoteFlowSource and
     // Exclude results of remote HTTP requests: fetching something else based on that result
diff --git a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
index 93b6fc60816..c0dd06b2bc9 100644
--- a/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SensitiveLoggingQuery.qll
@@ -49,7 +49,7 @@ deprecated class SensitiveLoggerConfiguration extends TaintTracking::Configurati
 }
 
 /** A data-flow configuration for identifying potentially-sensitive data flowing to a log output. */
-module SensitiveLoggerConfiguration implements DataFlow::ConfigSig {
+private module SensitiveLoggerConfiguration implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CredentialExpr }
 
   predicate isSink(DataFlow::Node sink) { sinkNode(sink, "logging") }
diff --git a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql
index 02cdfacc56f..b868dcabf85 100644
--- a/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql
+++ b/java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.ql
@@ -2,14 +2,10 @@ import java
 import TestUtilities.InlineFlowTest
 import semmle.code.java.security.SensitiveLoggingQuery
 
-class EnableLegacy extends EnableLegacyConfiguration {
-  EnableLegacy() { exists(this) }
-}
-
 class HasFlowTest extends InlineFlowTest {
-  override DataFlow::Configuration getTaintFlowConfig() {
-    result instanceof SensitiveLoggerConfiguration
+  override predicate hasTaintFlow(DataFlow::Node src, DataFlow::Node sink) {
+    SensitiveLoggerFlow::hasFlow(src, sink)
   }
 
-  override DataFlow::Configuration getValueFlowConfig() { none() }
+  override predicate hasValueFlow(DataFlow::Node src, DataFlow::Node sink) { none() }
 }
diff --git a/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql b/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
index d7e481ce618..b27d81ee073 100644
--- a/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
+++ b/java/ql/test/query-tests/security/CWE-918/RequestForgery.ql
@@ -9,7 +9,8 @@ class HasFlowTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "SSRF" and
-    exists(RequestForgeryConfiguration conf, DataFlow::Node sink | conf.hasFlowTo(sink) |
+    exists(DataFlow::Node sink |
+      RequestForgeryFlow::hasFlowTo(sink) and
       sink.getLocation() = location and
       element = sink.toString() and
       value = ""