Skip to content

Fix: Add CSP header configuration guideline [4.5.0] #11137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wso2-engineering-bot wants to merge 1 commit into
base: 4.5.0
Choose a base branch
from
Open

Fix: Add CSP header configuration guideline [4.5.0] #11137

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 25 additions & 13 deletions ...etup/deployment-best-practices/security-guidelines-for-production-deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,18 @@ Transport Level Security</a>.</p>
<p>Note that cache prevention headers are enabled for the applications with which the product is shipped by default. Therefore, you need to manually enable cache prevention headers only for all the new applications that you deploy in your server.</p>
</tr>
<tr class="odd">
<td><p>Configure Content Security Policy (CSP) headers</p></td>
<td><p>WSO2 API Manager application code is developed adhering to security guidelines, and known vulnerabilities within the package have been identified and patched. In addition, Content Security Policy (CSP) can provide an extra layer of protection by restricting how the application is framed or embedded in the browser.</p>
<p>It is recommended to configure the following CSP header at the Load Balancer (LB) level to secure framing behavior and reduce clickjacking risk:</p>
<pre><code>Content-Security-Policy: frame-src 'self'; frame-ancestors 'self';</code></pre>
<p>The above policy ensures the following:</p>
<ul>
<li><code>frame-src 'self'</code> - Restricts the sources from which content can be loaded into frames within the application to the same origin only.</li>
<li><code>frame-ancestors 'self'</code> - Prevents the application from being embedded in frames by external origins, mitigating clickjacking attacks.</li>
</ul>
</td>
</tr>
<tr class="odd">
<td><p>Increase Ephemeral Diffie-Hellman Key size</p></td>
<td><p>Before starting the server, open the product startup script (<code>api-manager.sh</code> in Linux and <code>api-manager.bat</code> in Windows) and enter the following with the other Java properties:</p>
<div class="code panel pdl" style="border-width: 1px;">
Expand All @@ -147,7 +159,7 @@ Transport Level Security</a>.</p>
</div>
</div></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Disable client-initiated renegotiation</p>
<p><br />
</p></td>
Expand All @@ -158,7 +170,7 @@ Transport Level Security</a>.</p>
</div>
</div></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>Enable HostName Verification</p>
<p><br />
</p></td>
Expand All @@ -177,7 +189,7 @@ sure that hostname verification is enabled in the product startup script (<code
</div>
<p>For instructions, see <a href="{{base_path}}/install-and-setup/setup/security/enabling-hostname-verification/">Enabling HostName Verification</a>.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Increase JSESSIONID length</p></td>
<td><div class="content-wrapper">
<p>If required, increase the session ID length by changing the <code>sessionIDLength</code> attribute of the session manager in the <code>context.xml</code> file (stored in the <code>&lt;PRODUCT_HOME&gt;/repository/conf/tomcat/context.xml</code> directory) as shown below. The default value is 16 bytes.</p>
Expand All @@ -188,14 +200,14 @@ sure that hostname verification is enabled in the product startup script (<code
</div>
</div></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>Change default admin credentials</p>
<p><br />
</p></td>
<td><p>The Administrator account is configured by default. The default user name and password of the administrator account is &quot;admin&quot;. To change the administrator credentials, you need to first sign in to the management console of the API-M server as &quot;admin&quot;, and then use the <strong>Change Password</strong> option under <strong>Home-&gt;Configure-&gt;User Management-&gt;Users</strong> in the navigator.</p>
<p>For more information on how to change the password of the administrator in the API-M server, see <a href="{{base_path}}/install-and-setup/setup/security/logins-and-passwords/maintaining-logins-and-passwords/#change-the-super-admin-credentials">Changing the super admin credentials</a>.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Restrict access to the management console</p>
<p><br />
</p></td>
Expand All @@ -204,7 +216,7 @@ sure that hostname verification is enabled in the product startup script (<code
instead of granting all permission to one administrator, you can distribute the responsibilities among administrators by assigning different permissions for conducting various tasks.</p>
<p>For instructions, see <a href="{{base_path}}/administer/managing-users-and-roles/managing-user-roles/">Managing User Roles</a>.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>Enable log rotation and monitoring</p>
<p><br />
</p></td>
Expand All @@ -214,7 +226,7 @@ configured in the <code>&lt;PRODUCT_HOME&gt;/repository/conf/log4j2.properties<
<p>You can also configure rollover based on log file size, and also it is possible to limit the number of backup
files. For details on how to configure log rotation and manage log growth details in the API-M runtime, see <a href="{{base_path}}/administer/logging-and-monitoring/logging/managing-log-growth/">Managing log growth</a>.</p></td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Prevent log forging</p></td>
<td><p>Log forging can be identified by appending a UUID to the log message. The conversion character '%u' can be
used in the pattern layout to log a UUID. For example, the log pattern can be set as following for <code>AUDIT</code>
Expand All @@ -223,7 +235,7 @@ logs so that the UUID is printed at the beginning of each log record.</p>
<p>For more information on configuring logging, see <a href="{{base_path}}/administer/logging-and-monitoring/logging/configuring-logging/">Setting up
logging in API Manage</a>.</p></td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>Set appropriate JVM parameters</p>
<p><br />
</p></td>
Expand All @@ -233,38 +245,38 @@ href="{{base_path}}/install-and-setup/setup/reference/product-compatibility/#tes
been removed from Hotspot JVM.</p>
</td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Restrict outbound connections of Publisher node</p>
<p><br />
</p></td>
<td><p>In an API-M deployment, it is recommended to restrict outbound connections of the Control Plane node (which contains the Publisher) and only allow access to the internal nodes (only to the nodes that the Publisher portal is intended to communicate with) of the deployment. Therefore, even if a situation arises where privileged user credentials are exposed to a user with malicious intent, such users will not be able to exploit and perform any unintended network interactions.</p>
<p>See the <a href="{{base_path}}/install-and-setup/setup/deployment-overview">API-M deployment</a> documentation for details.</p>
</td>
</tr>
<tr class="odd">
<tr class="even">
<td><p>Use a separate admin user account to login into the system</p>
<p><br />
</p></td>
<td><p>WSO2 recommends that you use two separate admin user accounts in production - one account for logging into the system and the other one as the system user doing configurations (for internal service communications).</p>
<p>For more information regarding admin user accounts, see <a href="{{base_path}}/reference/config-catalog/#super-admin-configurations">super admin configurations</a>.</p>
</td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Defining callback URL regular expression</p>
<p><br />
</p></td>
<td><p>For password recovery, you can define a regular expression to validate the callback URL. The default configuration allows any callback URL. Note that if you are using the recovery option, it is highly recommended to define the regular expression that validates and only allows access to specific callback URLs.</p><p>See the <a href="https://is.docs.wso2.com/en/6.1.0/deploy/security/product-level-security-guidelines/#callback-url-regular-expressions">Callback URL Regular Expressions</a> documentation for details.</p>
</td>
</tr>
</tr>
<tr class="odd">
<tr class="even">
<td><p>Configure client authentication</p>
<p><br />
</p></td>
<td><p>Client authentication is used to identify the application or client making a request to the WSO2 API Manager REST APIs. By default, web applications provided with WSO2 API Manager use a set of default credentials for authentication. However, it is recommended to change these default credentials to enhance security. For more details see, <a href="{{base_path}}/install-and-setup/setup/deployment-best-practices/security-guidelines-for-production-deployment/#configure-client-authentication">Configure client authentication</a></p>
</td>
</tr>
<tr class="even">
<tr class="odd">
<td><p>Disable Try-It Tool</p>
<p><br />
</p></td>
Expand Down