Fix: Remove outdated Carbon version references across docs of all IS versions

[sathmij]

Purpose

Remove outdated and unnecessary references to Carbon versions from the WSO2 Identity Server documentation.

Problem

Several Identity Server documentation pages contain outdated and unnecessary references to specific Carbon versions and ranges (e.g., Carbon 4.4.0, 4.4.11, 4.4.17), even though each IS version already bundles a known Carbon version. Additionally, some pages mention multiple “Carbon version ranges,” which is incorrect for a given IS release.

Solution

This PR removes Carbon-version referneces and updates the instructions to be IS-version-specific, which aligns with the documentation guidelines and the expectations of issue #23050.

Documentation Fixes Included:

1. Updated Product-Level Security Guidelines
2. Updated Multitenancy Tenant Loading Policy Guide
3. Applied changes across all supported versions (5.9.0, 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0, 7.2.0, and next)
4. Verification:

• Checked by running in local mkdocs build for formatting integrity for all versions
• Confirmed navigation, headings, and anchors remain consistent
• Validated that updated guidance matches current IS behavior

Related PRs

None

Related Issues

wso2/product-is#23050

Test environment

• Browsers tested:
  Chrome 141.0 (Windows 11)

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Ran FindSecurityBugs plugin and verified report?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Verification Results

Summary by CodeRabbit

• Documentation
  • Simplified security guidelines by removing Carbon version-specific conditions across product documentation.
  • Updated HSTS configuration guidance to apply universally without version qualifiers.
  • Streamlined hostname verification instructions by removing version-dependent conditions and consolidating guidance.
  • Removed version references from tenant configuration documentation for clearer, unconditional guidance.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Documentation updates across multiple Identity Server versions remove Carbon version-specific conditions from security guidelines and tenant configuration documentation, consolidating disparate version-dependent instructions into unconditional guidance.

Changes

Cohort / File(s)	Summary
Product-level security guidelines en/identity-server/5.9.0/docs/administer/product-level-security-guidelines.md, en/identity-server/5.10.0/docs/administer/product-level-security-guidelines.md, en/identity-server/5.11.0/docs/administer/product-level-security-guidelines.md, en/identity-server/6.0.0/docs/deploy/security/product-level-security-guidelines.md, en/identity-server/6.1.0/docs/deploy/security/product-level-security-guidelines.md, en/identity-server/7.0.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md, en/identity-server/7.1.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md, en/identity-server/7.2.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md, en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md	Removed Carbon version-specific conditions (4.4.11+, 4.4.17+, pre-4.4.17) from HSTS and hostname verification sections; converted conditional guidance to unconditional statements; removed example JVM property lines from code blocks.
Tenant loading policy configuration en/identity-server/6.0.0/docs/guides/tenants/configure-the-tenant-loading-policy.md, en/identity-server/6.1.0/docs/guides/tenants/configure-the-tenant-loading-policy.md, en/identity-server/7.0.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md, en/identity-server/7.1.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md, en/identity-server/7.2.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md, en/identity-server/next/docs/guides/multitenancy/configure-the-tenant-loading-policy.md	Simplified introductory sentence by removing "based on Carbon 4.4.0 or later versions" qualifier; all other content preserved.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Homogeneous changes applied consistently across multiple files with identical patterns
• Pure documentation updates with no code logic, API changes, or behavioral alterations
• Straightforward text removal and rewording following a single template

Suggested reviewers

• himeshsiriwardana
• ShanChathusanda93
• pavinduLakshan

Poem

🐰 Across the versions, guards now stand tall,
No Carbon cages binding all,
HSTS defaults, hostnames aligned,
Simpler guidance, version-unconfined!
Documentation hopped, cleaner and bright! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: removing outdated Carbon version references from Identity Server documentation across all versions.
Description check	✅ Passed	The description includes Purpose, Related Issues, Test environment, and Security checks sections. All key information about the change, problem, solution, and verification is provided.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2ac4520 and 069ff8f.

📒 Files selected for processing (15)

• en/identity-server/5.10.0/docs/administer/product-level-security-guidelines.md (2 hunks)
• en/identity-server/5.11.0/docs/administer/product-level-security-guidelines.md (2 hunks)
• en/identity-server/5.9.0/docs/administer/product-level-security-guidelines.md (2 hunks)
• en/identity-server/6.0.0/docs/deploy/security/product-level-security-guidelines.md (2 hunks)
• en/identity-server/6.0.0/docs/guides/tenants/configure-the-tenant-loading-policy.md (1 hunks)
• en/identity-server/6.1.0/docs/deploy/security/product-level-security-guidelines.md (2 hunks)
• en/identity-server/6.1.0/docs/guides/tenants/configure-the-tenant-loading-policy.md (1 hunks)
• en/identity-server/7.0.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2 hunks)
• en/identity-server/7.0.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1 hunks)
• en/identity-server/7.1.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2 hunks)
• en/identity-server/7.1.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1 hunks)
• en/identity-server/7.2.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2 hunks)
• en/identity-server/7.2.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1 hunks)
• en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2 hunks)
• en/identity-server/next/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1 hunks)

🔇 Additional comments (25)

en/identity-server/5.9.0/docs/administer/product-level-security-guidelines.md (2)

95-101: HSTS section: Clear and actionable guidance.

The unconditional guidance is appropriate. The explanation of why HSTS is disabled by default (to avoid interrupting development) combined with the directive to enable it for production deployment provides good context for operators.

---

159-190: Hostname verification section: Well-structured instructions.

The two-step configuration (setting hostnameVerifier to Strict and ignoreHostnameVerification to false) is clearly presented with proper examples and an external reference for additional context. The removal of Carbon version conditions has simplified the guidance without loss of essential information for IS 5.9.0.

Verify that both JVM properties (hostnameVerifier and ignoreHostnameVerification) are applicable and necessary for IS 5.9.0. Confirm there are no version-specific behavioral differences that should be documented.

en/identity-server/next/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1)

3-3: Consistent and correct removal of outdated Carbon version qualifier.

The simplification from "In {{ product_name }} based on Carbon 4.4.0 or later versions, you have the option of..." to "In {{ product_name }}, you have the option of..." successfully removes the outdated version gating while maintaining grammatical correctness and readability. The sentence now appropriately becomes IS-version-specific rather than Carbon-version-dependent.

en/identity-server/7.0.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1)

3-3: Consistent removal pattern across versions (7.0.0).

Matches the same intentional simplification applied to the next version; the Carbon 4.4.0 qualifier is correctly removed from the opening sentence.

en/identity-server/7.2.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1)

3-3: Consistent removal across 7.x series (7.2.0).

The same Carbon version qualifier simplification is correctly applied here as well, maintaining consistency across all recent-version branches.

en/identity-server/7.1.0/docs/guides/multitenancy/configure-the-tenant-loading-policy.md (1)

3-3: Consistent removal across 7.1.0.

Identical to 7.0.0 and 7.2.0; the Carbon version qualifier is correctly removed from the introductory sentence.

en/identity-server/6.0.0/docs/guides/tenants/configure-the-tenant-loading-policy.md (1)

3-3: Consistent removal with concrete product naming (6.0.0).

The same Carbon version qualifier is correctly removed here, with the concrete product name "WSO2 Identity Server (WSO2 IS)" used in place of the template variable. The line-wrapped sentence structure remains valid.

en/identity-server/6.1.0/docs/guides/tenants/configure-the-tenant-loading-policy.md (1)

3-3: Consistent removal across 6.1.0.

Mirrors the change in 6.0.0; the Carbon 4.4.0 qualifier is correctly removed from the introductory sentence, maintaining consistency across the 6.x documentation branch.

en/identity-server/7.0.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2)

88-93: HSTS guidance now unconditional across all versions. ✓

The change removes the Carbon version qualifier and states that HSTS is disabled by default without version conditions. This aligns with the PR objective and maintains the security guidance. The statement "HSTS is disabled...by default" is clear and actionable regardless of version context.

---

148-177: HostName verification guidance simplified and unconditional. ✓

Lines 164 and 170 now present the configuration steps without Carbon version conditions:

• Set hostnameVerifier to Strict
• Set ignoreHostnameVerification to false

The steps are clear, actionable, and the removal of version conditions aligns with the PR objective of eliminating outdated Carbon version references while preserving the security guidance.

en/identity-server/6.1.0/docs/deploy/security/product-level-security-guidelines.md (2)

105-110: Consistent with 7.0.0: HSTS guidance made unconditional. ✓

The HSTS section at line 107 removes version qualifiers and clearly states the default disabled state with the actionable guidance to enable it. Consistent change across versions maintains documentation clarity.

---

168-194: Consistent with 7.0.0: HostName verification guidance simplified. ✓

Lines 183 and 189 present the configuration unconditionally. Change is consistent across the documentation set.

en/identity-server/6.0.0/docs/deploy/security/product-level-security-guidelines.md (2)

105-110: Consistent pattern: HSTS guidance unified across 6.x versions. ✓

Change mirrors 6.1.0, confirming consistency of documentation updates across minor versions.

---

168-194: Consistent pattern: HostName verification unified across 6.x versions. ✓

en/identity-server/7.2.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2)

88-93: 7.2.0 follows consistent 7.x pattern for HSTS. ✓

---

148-177: 7.2.0 follows consistent 7.x pattern for HostName verification. ✓

en/identity-server/7.1.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2)

88-93: 7.1.0 consistent with broader 7.x updates. ✓

---

148-177: 7.1.0 HostName verification consistent with 7.x series. ✓

en/identity-server/5.10.0/docs/administer/product-level-security-guidelines.md (2)

95-103: 5.10.0 HSTS guidance updated consistently with newer versions. ✓

Despite the older IS version (5.10.0), the HSTS section update follows the same pattern as 6.x and 7.x versions, removing version conditions while preserving security guidance.

---

159-189: 5.10.0 HostName verification consistent with broader update. ✓

Lines 175 and 181 follow the unconditional guidance pattern applied across all versions in the PR.

en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md (2)

88-93: Next version documentation aligned with current guidance. ✓

The "next" documentation follows the same unconditional HSTS guidance pattern, ensuring future version docs are consistent with the updated approach.

---

148-177: Next version HostName verification consistent with current pattern. ✓

en/identity-server/5.11.0/docs/administer/product-level-security-guidelines.md (3)

98-104: 5.11.0 HSTS updated consistently across 5.x versions. ✓

The HSTS section reflects the same unconditional guidance approach applied to both 5.10.0 and all newer versions.

---

162-192: 5.11.0 HostName verification consistent with 5.10.0 pattern. ✓

---

1-361: Comprehensive documentation update with consistent cross-version patterns. ✓

Summary of review across all 8 files:

All changes follow a consistent pattern across supported IS versions (5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0, 7.2.0, and next):

1. HSTS Guidance (lines ~90–107): Removed Carbon version qualifiers and now presents unconditional guidance that HSTS is disabled by default for shipped applications, with clear instructions to enable it.

2. HostName Verification (lines ~164–189): Removed version-specific conditions and now presents unconditional steps to set hostnameVerifier=Strict and ignoreHostnameVerification=false.

Verification:

• ✓ Changes are consistent across all 8 files
• ✓ Security guidance remains intact (no loss of critical information)
• ✓ Outdated Carbon version references (e.g., "Carbon 4.4.11 or later") successfully removed
• ✓ Documentation is now version-agnostic and simpler to maintain
• ✓ Aligns with PR objective to remove Carbon-version references per Remove carbon version references in IS docs product-is#23050

No issues identified. The PR accomplishes its stated goal cleanly and comprehensively.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}