From 092f6d2159e744c4ec959da5aed60937e264386a Mon Sep 17 00:00:00 2001 From: "claude[bot]" <41898282+claude[bot]@users.noreply.github.com> Date: Tue, 7 Apr 2026 06:36:20 +0000 Subject: [PATCH] Fix: Add CSP header configuration guideline Co-Authored-By: Claude Sonnet 4.5 --- ...ty-guidelines-for-production-deployment.md | 38 ++++++++++++------- 1 file changed, 25 insertions(+), 13 deletions(-) diff --git a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md index 970e223a44..11fe466f6a 100644 --- a/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md +++ b/en/docs/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment.md @@ -139,6 +139,18 @@ Transport Level Security.

Note that cache prevention headers are enabled for the applications with which the product is shipped by default. Therefore, you need to manually enable cache prevention headers only for all the new applications that you deploy in your server.

+

Configure Content Security Policy (CSP) headers

+

WSO2 API Manager application code is developed adhering to security guidelines, and known vulnerabilities within the package have been identified and patched. In addition, Content Security Policy (CSP) can provide an extra layer of protection by restricting how the application is framed or embedded in the browser.

+

It is recommended to configure the following CSP header at the Load Balancer (LB) level to secure framing behavior and reduce clickjacking risk:

+
Content-Security-Policy: frame-src 'self'; frame-ancestors 'self';
+

The above policy ensures the following:

+ + + +

Increase Ephemeral Diffie-Hellman Key size

Before starting the server, open the product startup script (api-manager.sh in Linux and api-manager.bat in Windows) and enter the following with the other Java properties:

@@ -147,7 +159,7 @@ Transport Level Security.

- +

Disable client-initiated renegotiation


@@ -158,7 +170,7 @@ Transport Level Security.

- +

Enable HostName Verification


@@ -177,7 +189,7 @@ sure that hostname verification is enabled in the product startup script (

For instructions, see Enabling HostName Verification.

- +

Increase JSESSIONID length

If required, increase the session ID length by changing the sessionIDLength attribute of the session manager in the context.xml file (stored in the <PRODUCT_HOME>/repository/conf/tomcat/context.xml directory) as shown below. The default value is 16 bytes.

@@ -188,14 +200,14 @@ sure that hostname verification is enabled in the product startup script (
- +

Change default admin credentials


The Administrator account is configured by default. The default user name and password of the administrator account is "admin". To change the administrator credentials, you need to first sign in to the management console of the API-M server as "admin", and then use the Change Password option under Home->Configure->User Management->Users in the navigator.

For more information on how to change the password of the administrator in the API-M server, see Changing the super admin credentials.

- +

Restrict access to the management console


@@ -204,7 +216,7 @@ sure that hostname verification is enabled in the product startup script (

For instructions, see Managing User Roles.

- +

Enable log rotation and monitoring


@@ -214,7 +226,7 @@ configured in the <PRODUCT_HOME>/repository/conf/log4j2.properties<

You can also configure rollover based on log file size, and also it is possible to limit the number of backup files. For details on how to configure log rotation and manage log growth details in the API-M runtime, see Managing log growth.

- +

Prevent log forging

Log forging can be identified by appending a UUID to the log message. The conversion character '%u' can be used in the pattern layout to log a UUID. For example, the log pattern can be set as following for AUDIT @@ -223,7 +235,7 @@ logs so that the UUID is printed at the beginning of each log record.

For more information on configuring logging, see Setting up logging in API Manage.

- +

Set appropriate JVM parameters


@@ -233,7 +245,7 @@ href="{{base_path}}/install-and-setup/setup/reference/product-compatibility/#tes been removed from Hotspot JVM.

- +

Restrict outbound connections of Publisher node


@@ -241,7 +253,7 @@ been removed from Hotspot JVM.

See the API-M deployment documentation for details.

- +

Use a separate admin user account to login into the system


@@ -249,7 +261,7 @@ been removed from Hotspot JVM.

For more information regarding admin user accounts, see super admin configurations.

- +

Defining callback URL regular expression


@@ -257,14 +269,14 @@ been removed from Hotspot JVM.

- +

Configure client authentication


Client authentication is used to identify the application or client making a request to the WSO2 API Manager REST APIs. By default, web applications provided with WSO2 API Manager use a set of default credentials for authentication. However, it is recommended to change these default credentials to enhance security. For more details see, Configure client authentication

- +

Disable Try-It Tool