[6.1] Add Custom Header Filter documentation to IS 6.1 docs

[HasiniSama]

Issues:

• Support for configuring Content-Security-Policy header out-of-the-box product-is#26317
• Capability to define custom headers in server response product-is#9088

This breaks of the PR: #5821

6.1.0

Screen.Recording.2026-01-21.at.14.24.37.mov

Summary by CodeRabbit

• Documentation
  • Added a guide for enabling and configuring a custom header filter: prerequisites, deployment configuration, registering header resource types, creating/updating header sets (includes an example CSP for the Console), optionally adding headers to existing configurations, notes on CSP limitations (unsafe-inline/unsafe-eval), and mappings of header names to web applications.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@HasiniSama has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 22 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between d535087 and 4c20db2.

📒 Files selected for processing (2)

• en/identity-server/6.1.0/docs/deploy/custom-header-filter.md
• en/identity-server/6.1.0/mkdocs.yml

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds a new documentation page explaining how to enable and configure a custom header filter (including examples and limitations) and updates the product docs navigation to include the new page.

Changes

Cohort / File(s)	Summary
Documentation Addition en/identity-server/6.1.0/docs/deploy/custom-header-filter.md	New guide covering prerequisites, enabling the custom header filter via deployment.toml, registering the custom-headers resource type, creating/updating header configurations (Console CSP example), optional migration for existing configs, known CSP limitations, and header-to-application mappings.
Navigation Update en/identity-server/6.1.0/mkdocs.yml	Added "Custom Header Filter" entry under Guides > Setup > Data Stores (positioned between CORS and reCAPTCHA).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I nudged a doc, then hopped away,
New headers dancing in bright array.
A toml set right, CSP tucked near,
Nav found its home — a tidy cheer.
🌙🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete compared to the template, missing Purpose section details, Related PRs clarity, Test environment, and all Security checks.	Add a Purpose section explaining the feature/fix details, clarify related PRs, specify Test environment details, and complete the Security checks checklist with specific confirmations.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: adding Custom Header Filter documentation to the IS 6.1 docs.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@en/identity-server/6.1.0/docs/deploy/custom-header-filter.md`:
- Line 53: The curl command URL has a typo "hhttps" which will fail; update the
command (the POST to
/t/{root_organization_name}/api/identity/config-mgt/v1.0/resource/custom-headers)
to use "https" instead of "hhttps" so the URL begins with "https://".

[Copilot]

Pull request overview

This PR adds comprehensive documentation for configuring custom HTTP headers using the Custom Header Filter feature in WSO2 Identity Server 6.1. The documentation enables administrators to add security headers like Content-Security-Policy to web applications.

Changes:

• Added custom header filter documentation to deployment configuration section
• Documented prerequisites, configuration steps, and API usage examples
• Included known limitations and usage notes for different web applications

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

File	Description
en/identity-server/6.1.0/mkdocs.yml	Added navigation entry for Custom Header Filter documentation under Configure section
en/identity-server/6.1.0/docs/deploy/custom-header-filter.md	New documentation file explaining how to enable and configure custom headers for WSO2 IS web applications

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@en/identity-server/6.1.0/docs/deploy/custom-header-filter.md`:
- Around line 8-10: Update the "Known limitations" note so it accurately states
the CSP behavior: replace the sentence that currently reads "WSO2 Identity
Server web applications do not fully support CSP headers with `unsafe-inline`
and `unsafe-eval` directives due to code base limitations" with a clear
statement that WSO2 Identity Server 6.1.0 web applications require CSP headers
to include `unsafe-inline` and/or `unsafe-eval` (because of inline
scripts/styles), and append that security patches and U2 updates reduce this
requirement; ensure the header/title "Known limitations" and surrounding context
remain unchanged.

🧹 Nitpick comments (1)

en/identity-server/6.1.0/docs/deploy/custom-header-filter.md (1)

35-44: Flag -k as dev-only (TLS verification disabled).

All curl samples use -k, which disables TLS verification. Please add a brief note that -k is for local/dev only and should be removed in production.

♻️ Suggested doc tweak

 ```bash
-curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource-type \
+curl -k -X POST https://localhost:9443/api/identity/config-mgt/v1.0/resource-type \
   -H "accept: application/json" \
   -H "Content-Type: application/json" \
   -H "Authorization: Bearer {bearer_token}" \
   -d '{
@@
   }'

+!!! note

• -k disables TLS certificate verification. Use it only for local/dev setups and remove it in production.

</details>


Also applies to: 52-66, 80-88

</blockquote></details>

</blockquote></details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@en/identity-server/6.1.0/docs/deploy/custom-header-filter.md`:
- Line 3: Update the application names in the summary sentence to match the
mapping list: change "Account Recovery" to "Account Recovery Endpoint" and "My
Account" to "My Account Portal" so the phrasing is consistent with the mapping
entries; locate and edit the strings "Account Recovery" and "My Account" in the
Custom Header Filter description and replace them with "Account Recovery
Endpoint" and "My Account Portal" respectively.

[HasiniSama]

The failing LINT issues can be ignored.