|
| 1 | +# Configure custom headers using a custom header filter |
| 2 | + |
| 3 | +The custom header filter adds custom HTTP headers to WSO2 Identity Server's own web applications. Use this to add security headers like Content-Security-Policy (CSP) to web apps. Supported apps include console, authentication endpoint, account recovery endpoint, and My Account portal. |
| 4 | + |
| 5 | +!!! info |
| 6 | + Add custom headers to your application's login pages by configuring the authentication endpoint. This applies the headers to login flows your applications use. |
| 7 | + |
| 8 | +!!! warning "Known limitations" |
| 9 | + |
| 10 | + WSO2 Identity Server web applications do not fully support CSP headers with `unsafe-inline` and `unsafe-eval` directives. |
| 11 | + |
| 12 | +## Prerequisites |
| 13 | + |
| 14 | +See [Using the Configuration Management REST APIs]({{base_path}}/develop/using-the-configuration-management-rest-apis/) for prerequisites and general architecture. |
| 15 | + |
| 16 | +## Enable custom header filter |
| 17 | + |
| 18 | +Add the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file: |
| 19 | + |
| 20 | +```toml |
| 21 | +[custom_header_filter] |
| 22 | +enable = true |
| 23 | +``` |
| 24 | + |
| 25 | +Restart the server for the changes to take effect. |
| 26 | + |
| 27 | +!!! info |
| 28 | + This feature is available out of the box as an update in WSO2 Identity Server 6.1.0 from update level **261** (Updates 2.0 model). See the instructions on [updating WSO2 products](https://updates.docs.wso2.com/en/latest/). |
| 29 | + |
| 30 | + If you don't have this update level, build the feature manually: |
| 31 | + |
| 32 | + 1. Clone the [identity-carbon-auth-rest](https://github.com/wso2-extensions/identity-carbon-auth-rest) repository. |
| 33 | + 2. Build the project using Java 11 or Java 17. |
| 34 | + 3. Copy `org.wso2.carbon.identity.custom.header.filter-${project.version}.jar` to the `<IS_HOME>/repository/components/dropins` directory. |
| 35 | + |
| 36 | +## Configure custom headers |
| 37 | + |
| 38 | +Follow these steps to configure custom headers for the web applications. |
| 39 | + |
| 40 | +### Step 1: Register the custom-headers resource type |
| 41 | + |
| 42 | +Create a resource type named `custom-headers` to enable custom header configurations for the server. |
| 43 | + |
| 44 | +```bash |
| 45 | +curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource-type \ |
| 46 | + -H "accept: application/json" \ |
| 47 | + -H "Content-Type: application/json" \ |
| 48 | + -H "Authorization: Bearer {bearer_token}" \ |
| 49 | + -d '{ |
| 50 | + "name": "custom-headers", |
| 51 | + "description": "This is the resource type for custom header resources." |
| 52 | + }' |
| 53 | +``` |
| 54 | + |
| 55 | +### Step 2: Create custom headers for a web application |
| 56 | + |
| 57 | +Create a new configuration with custom headers for the web application. |
| 58 | + |
| 59 | +The following example adds a `Content-Security-Policy` header to the `console` application: |
| 60 | + |
| 61 | +```bash |
| 62 | +curl -k -X POST https://localhost:9443/t/{root_organization_name}/api/identity/config-mgt/v1.0/resource/custom-headers \ |
| 63 | + -H "accept: application/json" \ |
| 64 | + -H "Content-Type: application/json" \ |
| 65 | + -H "Authorization: Bearer {bearer_token}" \ |
| 66 | + -d '{ |
| 67 | + "name": <APP_NAME>, |
| 68 | + "attributes": [ |
| 69 | + { |
| 70 | + "key": "Content-Security-Policy", |
| 71 | + "value": "default-src '\''self'\''; script-src '\''self'\''; style-src '\''self'\''" |
| 72 | + } |
| 73 | + ] |
| 74 | + }' |
| 75 | +``` |
| 76 | + |
| 77 | +!!! note |
| 78 | + Replace `<APP_NAME>` with the web application name: |
| 79 | + |
| 80 | + - `console` - Admin Console |
| 81 | + - `authenticationendpoint` - Authentication endpoint |
| 82 | + - `accountrecoveryendpoint` - Account recovery endpoint |
| 83 | + - `myaccount` - My Account portal |
| 84 | + |
| 85 | +### Optional step: Add headers to an existing web application |
| 86 | + |
| 87 | +Add more headers to web applications with existing custom header configurations. |
| 88 | + |
| 89 | +```bash |
| 90 | +curl -k -X POST https://localhost:9443/t/{root_organization_name}/api/identity/config-mgt/v1.0/resource/custom-headers/console \ |
| 91 | + -H "accept: application/json" \ |
| 92 | + -H "Content-Type: application/json" \ |
| 93 | + -H "Authorization: Bearer {bearer_token}" \ |
| 94 | + -d '{ |
| 95 | + "key": "X-Frame-Options", |
| 96 | + "value": "DENY" |
| 97 | + }' |
| 98 | +``` |
0 commit comments