adding security headers in wso2am-4.0.0 (sts & csp & referer headers)
I'm trying to add those two headers in all portals as guided by my companies security team. So far I've tried adding somem configurations in the deployment.toml. This only brings the sts header in the devportal but not in other portals.
[[tomcat.carbon.filter]]
name = "HttpHeaderSecurityFilter"
class = "org.apache.catalina.filters.HttpHeaderSecurityFilter"
init_param_name = "hstsMaxAgeSeconds"
init_param_value = "15768000"
[[tomcat.carbon.filter_mapping]]
name = "HttpHeaderSecurityFilter"
url_pattern = ["*"]
I've also tried adding the filters in the web.xml file that is available here: wso2am-4.0.0/repository/conf/tomcat/carbon/WEB-INF but this configurations seem to be rewritten on startup.
[2024-04-29 16:13:46,247] INFO {org.wso2.config.mapper.ConfigParser} - Configurations Changed in :repository/resources/security/sslprofiles.xml
[2024-04-29 16:13:46,249] INFO {org.wso2.config.mapper.ConfigParser} - Configurations Changed in :repository/resources/security/listenerprofiles.xml
[2024-04-29 16:13:46,249] INFO {org.wso2.config.mapper.ConfigParser} - Configurations Changed in :repository/conf/deployment.toml
[2024-04-29 16:13:46,250] INFO {org.wso2.config.mapper.ConfigParser} - Configurations Changed in :repository/conf/tomcat/carbon/WEB-INF/web.xml
Anyone know how I could solve this?
Solution
Try adding these
[[tomcat.filter]]
name = "httpHeaderSecurity"
class = "org.apache.catalina.filters.HttpHeaderSecurityFilter"
async_supported = true
[tomcat.filter.init_params]
hstsEnabled = true
hstsMaxAgeSeconds = 31536000
hstsIncludeSubDomains = true
[[tomcat.filter_mapping]]
name = "httpHeaderSecurity"
url_pattern = "/*"
dispatchers = "REQUEST"
- Migrating from WSO2 Enterprise Integrator to Micro Integrator
- Caused by: java.io.FileNotFoundException: /wso2am-3.2.0/repository\conf\advanced\qpid-config.xml (No such file or directory)
- WSO2 Error while building Passthrough stream java.lang.StringIndexOutOfBoundsException
- WSO2 Large File Handling
- Is Endpoint Security Authentication in WSO2 APIM Done per API or per request?
- Adding HTTP security headers to WSO2 APIM (4.1.0) via deployment.toml config
- Difference between grant_type=client_credentials and grant_type=password in Authentication Flow?
- WSO2 Multiple Gateway deployment production/sandbox endpoints
- Is there a way to run three instances of WSO2 AM in one localhost?
- CORS Configuration not working in WSO2 API Manager for Oauth2/token API
- OSGI Bundling issue while upgrading WSO2 APIM 3.2 to 4.3
- WSO2 API Manager 4.2 with AWS ALB : Problems with mTLS Authentication Setup
- WSO2 API Manager (wso2am-4.3.0) - Error When Invoking APIs After Disabling OpenAPI Validations
- WSO2 API Manager (wso2am-4.3.0) - How to Disable OpenAPI Validation When Importing Swaggers?
- How to enable TLS 1.1 in wso2 APIM 4.2
- WSO2 API Manager (wso2am-2.1.0) - How to implement passwordless authentication using WSO2 APIM and Microsoft Authenticator App?
- WSO2 API Manager (wso2am-2.1.0) - BufferOverflowException
- How to - create api to test simple http backend
- Issue with WSO2 API-Manager 4.3.0: ERR_CONNECTION_RESET at localhost:9443
- Adding advanced UI customizations to WSO2 API-M UIs didn't went well
- WSO2 website access to front site denied and possibility wrong packages or versions
- WSO2 API Manager Integration with Prometheus and Grafana
- WSO2 API Manager 4.0.0 - Maximum Backend Throughput not working properly in a clustered environment
- How to get username of API caller in wso2 apim in Basic Authorization?
- What exactly is the difference between "WSO2 API Manager" and "WSO2 Data Analytics Server" and "WSO2 Application Server"?
- How to pass a value from inSequence to outSequence in WSO2 ESB?
- Import Backend services description into WSO2 APIM
- Is there a way to add username in API Log in WSO2 APIM?
- Not able to setup WSO2 APIM Analytics
- How to make gRPC request in WSO2 micro-integrator via Postman?