wso2wso2-api-manager

Adding HTTP security headers to WSO2 APIM (4.1.0) via deployment.toml config

I have followed : adding security headers in wso2am-4.0.0 (sts & csp & referer headers) to add the header config to the control plane and it is working ( carbon portal, dev portal and publisher).

I added the same config in the gateway profile node but its not getting applied to my APIs deployed in the gateway.

Is there a global configuration that I can add to the gateway that will apply the http security headers to all APIs ( without going for custom header policies)

Solution

  • You can add a global mediation policy to add these headers.

    1. Create a file called WSO2AM--Ext--Out.xml.
    2. Add the following content and place the file in the location - wso2am-4.1.0/repository/deployment/server/synapse-configs/default/sequences.
    <sequence xmlns="http://ws.apache.org/ns/synapse" name="WSO2AM--Ext--Out">

    <property name="header1" value="val1" scope="transport" />
    <property name="header2" value="val2" scope="transport" />

</sequence>
    1. Add the following configurations into the deployment.toml in wso2am-4.1.0/repository/conf/.
    [apim.sync_runtime_artifacts.gateway.skip_list]
sequences = ["WSO2AM--Ext--Out.xml"]