I have followed : adding security headers in wso2am-4.0.0 (sts & csp & referer headers) to add the header config to the control plane and it is working ( carbon portal, dev portal and publisher).
I added the same config in the gateway profile node but its not getting applied to my APIs deployed in the gateway.
Is there a global configuration that I can add to the gateway that will apply the http security headers to all APIs ( without going for custom header policies)
You can add a global mediation policy to add these headers.
- Create a file called WSO2AM–Ext–Out.xml.
- Add the following content and place the file in the location – wso2am-4.1.0/repository/deployment/server/synapse-configs/default/sequences.
<sequence xmlns="http://ws.apache.org/ns/synapse" name="WSO2AM--Ext--Out">
<property name="header1" value="val1" scope="transport" />
<property name="header2" value="val2" scope="transport" />
</sequence>
- Add the following configurations into the deployment.toml in wso2am-4.1.0/repository/conf/.
[apim.sync_runtime_artifacts.gateway.skip_list]
sequences = ["WSO2AM--Ext--Out.xml"]
0
Accepted answer works for success API calls. Below is with fault cases also
Create a file called _Set_HTTPSecurityHeaders_.xml
Add the following content and place the file in the location – AM410_GW_HOME/repository/deployment/server/synapse-configs/default/sequences
<sequence name="_Set_HTTPSecurityHeaders_" trace="disable" xmlns="http://ws.apache.org/ns/synapse">
<property name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains; preload" action="set" scope="transport"/>
<property name="X-Content-Type-Options" value="nosniff" action="set" scope="transport"/>
<property name="X-Frame-Options" value="DENY" action="set" scope="transport"/>
<property name="X-XSS-Protection" value="1" action="set" scope="transport"/>
</sequence>
Create a file called WSO2AM–Ext–Out.xml
Add the following content and place the file in the location – AM410_GW_HOME/repository/deployment/server/synapse-configs/default/sequences
<sequence xmlns="http://ws.apache.org/ns/synapse" name="WSO2AM--Ext--Out">
<sequence key="_Set_HTTPSecurityHeaders_"/>
</sequence>
Add following line at the end of AM410_GW_HOME/repository/deployment/server/synapse-configs/default/sequences/_cors_request_handler_.xml line num ~ 35 after filter
<sequence key="_Set_HTTPSecurityHeaders_"/>
Add following line before any send mediator in AM410_GW_HOME/repository/deployment/server/synapse-configs/default/sequences/main.xml
<sequence key="_Set_HTTPSecurityHeaders_"/>
Add the following configurations into the deployment.toml
[apim.sync_runtime_artifacts.gateway.skip_list]
sequences = ["WSO2AM--Ext--Out.xml", "_Set_HTTPSecurityHeaders_.xml"]
If this configuration is successful all APIs in the gateway will have http security response headers for success/failure (e.g. 2xx, 401, 403, 405, 500) responses.