This documentation is for WSO2 API Manager 2.6.0. View documentation for the latest release.

All docs This doc
||
Skip to end of metadata
Go to start of metadata

Web services may contain response headers with sensitive information. This tutorial explains how to remove HTTP request headers from the responses for security reasons

To remove request headers from responses for per API or globally, add the name of the header to be removed as a property in your custom out sequence.

<property name="<name of the header to be removed>" scope="transport" action="remove"/>
<property name="Accept" scope="transport" action="remove"/>
<property name="X-JWT-Assertion" scope="transport" action="remove"/>
<property name="Cookie" scope="transport" action="remove"/> 


To handle error responses, follow the instructions below. 

  1. To address the scenario where the API does not exist, open the <API-M_HOME>/repository/deployment/server/synapse-configs/default/sequences/main.xml file.
  2. Add the name of the header to be removed as a property, just before the beginning of send mediator, as shown below

    <property name="<name of the header to be removed>" scope="transport" action="remove"/>
    <property name="Accept" scope="transport" action="remove"/>
    <property name="X-JWT-Assertion" scope="transport" action="remove"/>
    <property name="Cookie" scope="transport" action="remove"/> 
    <send/>
  3. To address the scenario where an error occurs during execution of API requests, open the <API-M_HOME>/repository/deployment/server/synapse-configs/default/sequences/fault.xml file.
  4. Add the name of the header to be removed as a property, just before the beginning of "CORS request handler" sequence, as shown below.

    <property name="<name of the header to be removed>" scope="transport" action="remove"/>
    <property name="Accept" scope="transport" action="remove"/>
    <property name="X-JWT-Assertion" scope="transport" action="remove"/>
    <property name="Cookie" scope="transport" action="remove"/>
    <sequence key="_cors_request_handler_"/>


Note : The above method removes only the specified headers from the response. If you need to remove all the headers, add the TRANSPORT_HEADERS property as shown below.

<property name="TRANSPORT_HEADERS" action="remove" scope="axis2"/>
<send/>
  • No labels