Update security guideline documentation

[hwupathum]

Purpose

Related PRs

Test environment

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Ran FindSecurityBugs plugin and verified report?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Summary by CodeRabbit

• Documentation
  • Replaced “disable weak ciphers” workflow with a streamlined “configure cipher suites” approach; clarified JSSE defaults and how to explicitly set ciphers.
  • Recommend using the Mozilla SSL Configuration Generator to pick cipher lists; restart required after configuration.
  • Removed prior verification/troubleshooting steps and extensive operational hardening detail.
  • Reorganized server-security and logging/monitoring guidance; TLS guidance now version-conditional (notes for >7.2.0).

[coderabbitai]

Walkthrough

Documentation updates replace the "Disable weak ciphers" sections across Identity Server versions with a consolidated "Configure cipher suites" workflow that references the Mozilla SSL Configuration Generator and instructs setting the ciphers property in <IS_HOME>/repository/conf/deployment.toml. Product-level security guidelines are reorganized under a new "Server configuration" grouping and updated with version-conditional JDK and cipher guidance and generalized JVM memory recommendations.

Changes

Cohort / File(s)	Summary
Transport-level security updates en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md, en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md, en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md, en/identity-server/next/docs/deploy/security/configure-transport-level-security.md	Replaced "Disable weak ciphers" with "Configure cipher suites". Removed TestSSLServer.jar verification, BEAST/DHE/Firefox notes, and Java JCE/java.security troubleshooting guidance. Added instruction to use the Mozilla SSL Configuration Generator, then set ciphers="<cipher-name>,<cipher-name>" under [transport.https.sslHostConfig.properties] in <IS_HOME>/repository/conf/deployment.toml and restart the server. next also includes a default cipher suites table.
Security guidelines reorganization en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md	Major restructure: introduced "Server configuration" (Keystores, Passwords in configuration files, Default ports, JVM parameters) and "Network and transport security"; removed many previous standalone sections and consolidated logging/monitoring. Cipher guidance made version-conditional (JSSE defaults for >7.2.0; use Mozilla generator for older versions). JDK guidance updated (recommend JDK 21 for versions >7.2.0; JDK 11+ otherwise) and JVM memory guidance generalized. Other hardening content condensed and links updated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Ciphers pruned with tidy care,
Mozilla's list tells me what's fair,
Docs rearranged, a neater map,
I hop, I nibble, close the gap,
Secure by dawn — a rabbit's clap.

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description contains only the template structure with no actual content filled in. All required sections are empty, and security checks remain unchecked.	Complete the Purpose section with issue links, fill in Related PRs, specify Test environment details, and address all Security checks with completion status and relevant details.
Title check	❓ Inconclusive	The title is overly broad and vague. 'Update security guideline documentation' does not clearly convey the specific changes made, such as the shift from cipher disabling guidance to cipher suite configuration, or the reorganization of security guidelines.	Provide a more specific title that highlights the main change, such as 'Refactor security guidelines with cipher suite configuration updates' or 'Update cipher configuration guidance and reorganize security documentation'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (4)

en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md (1)

9-9: ⚠️ Potential issue | 🟡 Minor

Fix spelling error.

The word "seperated" should be spelled "separated".

📝 Proposed fix

-1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be seperated by `+` sign.
+1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be separated by `+` sign.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md`
at line 9, Fix the spelling mistake in the sentence that reads "Note that the
list of protocols needs to be seperated by `+` sign." — change "seperated" to
"separated" in the documentation text so it reads "Note that the list of
protocols needs to be separated by `+` sign." This occurs in the TLS
configuration sentence that mentions
`<IS_HOME>/repository/conf/deployment.toml`.

en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md (1)

9-9: ⚠️ Potential issue | 🟡 Minor

Fix spelling error.

The word "seperated" should be spelled "separated".

📝 Proposed fix

-1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be seperated by `+` sign.
+1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be separated by `+` sign.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md`
at line 9, Fix the spelling mistake in the sentence that reads "the list of
protocols needs to be seperated by `+` sign." — change "seperated" to
"separated" in the documentation text referencing the configuration for
`<IS_HOME>/repository/conf/deployment.toml` so it reads "the list of protocols
needs to be separated by `+` sign."

en/identity-server/next/docs/deploy/security/configure-transport-level-security.md (1)

9-9: ⚠️ Potential issue | 🟡 Minor

Fix spelling error.

The word "seperated" should be spelled "separated".

📝 Proposed fix

-1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be seperated by `+` sign.
+1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be separated by `+` sign.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/next/docs/deploy/security/configure-transport-level-security.md`
at line 9, Replace the misspelled word "seperated" with "separated" in the
sentence "Note that the list of protocols needs to be seperated by `+` sign." so
the text reads "...needs to be separated by `+` sign."; locate the occurrence of
the incorrect token "seperated" in the document to make the single-word
correction.

en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md (1)

9-9: ⚠️ Potential issue | 🟡 Minor

Fix spelling error.

The word "seperated" should be spelled "separated".

📝 Proposed fix

-1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be seperated by `+` sign.
+1. You can configure multiple TLS versions or a single TLS version by adding the following configuration to the `<IS_HOME>/repository/conf/deployment.toml` file. Note that the list of protocols needs to be separated by `+` sign.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md`
at line 9, Fix the spelling mistake in the documentation sentence that says "the
list of protocols needs to be seperated by `+` sign"; update "seperated" to the
correct spelling "separated" in the text that references
`<IS_HOME>/repository/conf/deployment.toml` and the protocols-separated-by-`+`
guidance so the sentence reads "...needs to be separated by `+` sign."

🧹 Nitpick comments (4)

en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md (1)

22-22: Clarify what "left blank" refers to.

The phrase "If left blank" creates ambiguity. Explicitly state that it refers to the ciphers property to improve clarity.

♻️ Proposed improvement

-By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.
+By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If the `ciphers` property is left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.

As per coding guidelines: "Avoid ambiguous pronouns (it, this, that, they) by replacing them with explicit nouns when ambiguity exists."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md`
at line 22, The sentence uses an ambiguous pronoun "If left blank" — change it
to explicitly reference the ciphers property so readers know what is being
referred to; e.g., replace "If left blank, weak ciphers..." with "If the ciphers
property is left blank, weak ciphers..." and ensure the `ciphers` property is
backticked wherever mentioned for clarity.

en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md (1)

22-22: Clarify what "left blank" refers to.

The phrase "If left blank" creates ambiguity. Explicitly state that it refers to the ciphers property to improve clarity.

♻️ Proposed improvement

-By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.
+By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If the `ciphers` property is left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.

As per coding guidelines: "Avoid ambiguous pronouns (it, this, that, they) by replacing them with explicit nouns when ambiguity exists."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md`
at line 22, The sentence is ambiguous about what "left blank" refers to; update
the sentence to explicitly mention the `ciphers` property (e.g., "If the
`ciphers` property is left blank, weak ciphers...") so readers know exactly
which configuration is meant, and ensure the phrase `ciphers` property is used
verbatim to match the surrounding documentation.

en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md (1)

22-22: Clarify what "left blank" refers to.

The phrase "If left blank" creates ambiguity. Explicitly state that it refers to the ciphers property to improve clarity.

♻️ Proposed improvement

-By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.
+By default, all SSL ciphers supported by JSSE are enabled. To restrict the server to a specific set of secure cipher suites, explicitly configure the `ciphers` property. If the `ciphers` property is left blank, weak ciphers (including EXPORT ciphers) will also be available, which can make the server vulnerable to attacks such as the Logjam attack.

As per coding guidelines: "Avoid ambiguous pronouns (it, this, that, they) by replacing them with explicit nouns when ambiguity exists."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md`
at line 22, The sentence uses an ambiguous pronoun "If left blank" — update the
text to explicitly reference the `ciphers` property (e.g., "If the `ciphers`
property is left blank") so readers clearly know which configuration entry is
meant; modify the line containing the `ciphers` property reference in the
deploy/security/configure-transport-level-security.md content to replace the
pronoun with the explicit property name and keep the rest of the warning about
weak ciphers and Logjam unchanged.

en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md (1)

68-68: Format technical term consistently.

The term "server value" refers to an HTTP header field and should be formatted in backticks rather than bold to maintain consistency with how other technical terms are formatted in the documentation.

♻️ Proposed improvement

-When sending HTTP responses, by default, WSO2 Identity Server passes `WSO2 Carbon Server` as the **server value** in HTTP headers. This exposes information about the WSO2 Identity Server stack.
+When sending HTTP responses, by default, WSO2 Identity Server passes `WSO2 Carbon Server` as the `server` value in HTTP headers. This exposes information about the WSO2 Identity Server stack.

As per coding guidelines: "Format code elements, file names, paths, config keys, commands, and URLs in backticks."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 68, Replace the bolded phrase "server value" with inline code formatting
(`server value`) to match the project's convention for technical terms; update
the sentence so the HTTP header field name appears in backticks and ensure `WSO2
Carbon Server` is also formatted consistently with other technical elements (use
backticks where appropriate) in the sentence that currently reads about WSO2
Identity Server passing WS02 Carbon Server as the server value in HTTP headers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md`:
- Line 9: Fix the spelling mistake in the sentence that reads "Note that the
list of protocols needs to be seperated by `+` sign." — change "seperated" to
"separated" in the documentation text so it reads "Note that the list of
protocols needs to be separated by `+` sign." This occurs in the TLS
configuration sentence that mentions
`<IS_HOME>/repository/conf/deployment.toml`.

In
`@en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md`:
- Line 9: Fix the spelling mistake in the documentation sentence that says "the
list of protocols needs to be seperated by `+` sign"; update "seperated" to the
correct spelling "separated" in the text that references
`<IS_HOME>/repository/conf/deployment.toml` and the protocols-separated-by-`+`
guidance so the sentence reads "...needs to be separated by `+` sign."

In
`@en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md`:
- Line 9: Fix the spelling mistake in the sentence that reads "the list of
protocols needs to be seperated by `+` sign." — change "seperated" to
"separated" in the documentation text referencing the configuration for
`<IS_HOME>/repository/conf/deployment.toml` so it reads "the list of protocols
needs to be separated by `+` sign."

In
`@en/identity-server/next/docs/deploy/security/configure-transport-level-security.md`:
- Line 9: Replace the misspelled word "seperated" with "separated" in the
sentence "Note that the list of protocols needs to be seperated by `+` sign." so
the text reads "...needs to be separated by `+` sign."; locate the occurrence of
the incorrect token "seperated" in the document to make the single-word
correction.

---

Nitpick comments:
In
`@en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md`:
- Line 22: The sentence is ambiguous about what "left blank" refers to; update
the sentence to explicitly mention the `ciphers` property (e.g., "If the
`ciphers` property is left blank, weak ciphers...") so readers know exactly
which configuration is meant, and ensure the phrase `ciphers` property is used
verbatim to match the surrounding documentation.

In
`@en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md`:
- Line 22: The sentence uses an ambiguous pronoun "If left blank" — change it to
explicitly reference the ciphers property so readers know what is being referred
to; e.g., replace "If left blank, weak ciphers..." with "If the ciphers property
is left blank, weak ciphers..." and ensure the `ciphers` property is backticked
wherever mentioned for clarity.

In
`@en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md`:
- Line 22: The sentence uses an ambiguous pronoun "If left blank" — update the
text to explicitly reference the `ciphers` property (e.g., "If the `ciphers`
property is left blank") so readers clearly know which configuration entry is
meant; modify the line containing the `ciphers` property reference in the
deploy/security/configure-transport-level-security.md content to replace the
pronoun with the explicit property name and keep the rest of the warning about
weak ciphers and Logjam unchanged.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Line 68: Replace the bolded phrase "server value" with inline code formatting
(`server value`) to match the project's convention for technical terms; update
the sentence so the HTTP header field name appears in backticks and ensure `WSO2
Carbon Server` is also formatted consistently with other technical elements (use
backticks where appropriate) in the sentence that currently reads about WSO2
Identity Server passing WS02 Carbon Server as the server value in HTTP headers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c24c332-d4fe-4f15-a108-0eede4f0faee

📥 Commits

Reviewing files that changed from the base of the PR and between d250242 and 63552f5.

📒 Files selected for processing (5)

• en/identity-server/7.0.0/docs/deploy/security/configure-transport-level-security.md
• en/identity-server/7.1.0/docs/deploy/security/configure-transport-level-security.md
• en/identity-server/7.2.0/docs/deploy/security/configure-transport-level-security.md
• en/identity-server/next/docs/deploy/security/configure-transport-level-security.md
• en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md

[coderabbitai]

🧹 Nitpick comments (1)

en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md (1)

56-61: Format literal server value in backticks.

On line 58, the literal string "WSO2 Carbon Server" should be formatted in backticks since it represents a code/configuration value that appears in HTTP headers. As per coding guidelines, code elements should be formatted with backticks.

📝 Proposed fix

-When sending HTTP responses, by default, WSO2 Identity Server passes WSO2 Carbon Server as the **server value** in HTTP headers. This exposes information about the WSO2 Identity Server stack.
+When sending HTTP responses, by default, WSO2 Identity Server passes `WSO2 Carbon Server` as the **server value** in HTTP headers. This exposes information about the WSO2 Identity Server stack.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
around lines 56 - 61, Update the documentation text in the "HTTP response
headers" section to format the literal server header value by surrounding the
string WS02 Carbon Server with backticks (i.e., use `WSO2 Carbon Server`) so it
appears as a code/configuration value in the sentence that currently reads about
WSO2 Identity Server passing WS02 Carbon Server as the server value; ensure only
the literal is wrapped in backticks and the rest of the sentence remains
unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Around line 56-61: Update the documentation text in the "HTTP response
headers" section to format the literal server header value by surrounding the
string WS02 Carbon Server with backticks (i.e., use `WSO2 Carbon Server`) so it
appears as a code/configuration value in the sentence that currently reads about
WSO2 Identity Server passing WS02 Carbon Server as the server value; ensure only
the literal is wrapped in backticks and the rest of the sentence remains
unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8c3a7f7a-a231-44d7-a859-0270dc1b3115

📥 Commits

Reviewing files that changed from the base of the PR and between 63552f5 and 7fcb778.

📒 Files selected for processing (1)

• en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md (1)

175-175: Add a concrete next step for disabling mutual SSL.

This sentence states that mutual SSL can be disabled but gives no instruction or link, leaving the action incomplete. Add a direct link or a short step pointing to the disable flow.

As per coding guidelines: "Task-based documentation must follow a logical, goal-oriented structure including ... sequential steps ... and next steps."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 175, Replace the standalone sentence "If mutual SSL authentication
capabilities are not required, you can disable it." with a concrete next step
that shows how to disable mutual SSL (e.g., "To disable mutual SSL, go to the
Product > Security > TLS settings and toggle 'Mutual TLS' off, or run: az
product security update --name <product> --mutual-tls false" and/or add a link
to the UI/CLI docs); ensure the new text appears directly after the existing
sentence and includes either the UI path, the exact CLI command, or a link to
the disable flow so readers have an actionable next step.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Around line 64-65: The two links to the same target use inconsistent link text
— "Configure Transport Level Security" and "Configure Transport-Level Security"
— causing terminology drift; pick the canonical form (e.g., "Configure
Transport-Level Security") and update the link text in this paragraph (the link
currently rendered as [Configure Transport Level
Security]({{base_path}}/deploy/security/configure-transport-level-security)) to
match the canonical phrasing used elsewhere in the document so both links use
the exact same text.
- Line 143: Update the informal phrase "out of the box" to the formal wording
"by default" in the sentence describing client authentication; specifically edit
the sentence that references the ResourceAccessControl tag in the
<IS_HOME>/repository/conf/identity/identity.xml file so it reads that the web
applications provided by default use a set of default credentials to
authenticate with WSO2 Identity Server REST APIs that are marked as secure under
the ResourceAccessControl tag.
- Around line 113-117: The section is inconsistent between the terms "user
store", "userstores", and "user store(s)"; pick one canonical term (recommend
"user store") and replace all occurrences in this section — including the
phrases "userstores (LDAP)" and "user store(s) (LDAP)" and the "Privileged
users" paragraph — so the document uses the same term everywhere and update any
surrounding punctuation/formatting to match the chosen form.
- Around line 79-97: Convert the paragraph into a clear, numbered procedure
showing exactly where to edit the startup script: instruct the reader to open
the startup script in <IS_HOME>/bin (specifying wso2server.sh for Linux/macOS
and wso2server.bat for Windows), add the JVM property
-Djdk.tls.rejectClientInitiatedRenegotiation=true to the JVM options in that
script, and then start the server; ensure steps are numbered (1. open script, 2.
add JVM flag to the JVM options, 3. start server) and reference the scripts and
the JVM property so the change is unambiguous.

---

Nitpick comments:
In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Line 175: Replace the standalone sentence "If mutual SSL authentication
capabilities are not required, you can disable it." with a concrete next step
that shows how to disable mutual SSL (e.g., "To disable mutual SSL, go to the
Product > Security > TLS settings and toggle 'Mutual TLS' off, or run: az
product security update --name <product> --mutual-tls false" and/or add a link
to the UI/CLI docs); ensure the new text appears directly after the existing
sentence and includes either the UI path, the exact CLI command, or a link to
the disable flow so readers have an actionable next step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fc0dc90e-3c2c-4a3d-bf98-1301b5b65b5a

📥 Commits

Reviewing files that changed from the base of the PR and between 7fcb778 and 9789022.

📒 Files selected for processing (1)

• en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Use one canonical link text for the same target page.

This section links to the same page as Line 54 but uses different title casing/hyphenation (Configure Transport Level Security vs Configure Transport-Level Security). Keep one canonical form to reduce inconsistency.

As per coding guidelines: "Use one term per concept; do not switch terminology mid-document."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
around lines 64 - 65, The two links to the same target use inconsistent link
text — "Configure Transport Level Security" and "Configure Transport-Level
Security" — causing terminology drift; pick the canonical form (e.g., "Configure
Transport-Level Security") and update the link text in this paragraph (the link
currently rendered as [Configure Transport Level
Security]({{base_path}}/deploy/security/configure-transport-level-security)) to
match the canonical phrasing used elsewhere in the document so both links use
the exact same text.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make the renegotiation hardening steps actionable and sequential.

This is a procedure, but it is not structured as clear numbered steps and does not show exactly where/how to add the JVM flag. This can lead to incorrect edits in startup scripts.

✏️ Proposed doc fix

 ### Client-initiated renegotiation

 Disable client-initiated TLS renegotiation to prevent denial-of-service attacks that exploit the high asymmetry of renegotiation costs.

-Before starting the server, open the product startup script in the `<IS_HOME>/bin` directory and add the following JVM property:
+To disable client-initiated renegotiation:

-=== "Linux/macOS"
-    ``` bash
-    wso2server.sh
-    ```
-
-=== "Windows"
-    ```bash
-    wso2server.bat
-    ```
-
-``` java
--Djdk.tls.rejectClientInitiatedRenegotiation=true \
-```
+1. Open the startup script in `<IS_HOME>/bin`:
+    - `wso2server.sh` (Linux/macOS)
+    - `wso2server.bat` (Windows)
+2. Add the JVM property:
+    ```bash
+    -Djdk.tls.rejectClientInitiatedRenegotiation=true
+    ```
+3. Start the server.

As per coding guidelines: "Use numbered lists for procedures and ordered steps" and "Task-based documentation must follow a logical, goal-oriented structure."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
around lines 79 - 97, Convert the paragraph into a clear, numbered procedure
showing exactly where to edit the startup script: instruct the reader to open
the startup script in <IS_HOME>/bin (specifying wso2server.sh for Linux/macOS
and wso2server.bat for Windows), add the JVM property
-Djdk.tls.rejectClientInitiatedRenegotiation=true to the JVM options in that
script, and then start the server; ensure steps are numbered (1. open script, 2.
add JVM flag to the JVM options, 3. start server) and reference the scripts and
the JVM property so the change is unambiguous.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Keep terminology consistent for “user store(s)”.

This section alternates between user store and userstores. Pick one term and use it consistently in this section.

As per coding guidelines: "Use one term per concept; do not switch terminology mid-document."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
around lines 113 - 117, The section is inconsistent between the terms "user
store", "userstores", and "user store(s)"; pick one canonical term (recommend
"user store") and replace all occurrences in this section — including the
phrases "userstores (LDAP)" and "user store(s) (LDAP)" and the "Privileged
users" paragraph — so the document uses the same term everywhere and update any
surrounding punctuation/formatting to match the chosen form.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Replace informal phrasing with formal wording.

“out of the box” is informal for this guide. Use “by default” for consistency with the rest of the document style.

As per coding guidelines: "In prose, use formal language."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 143, Update the informal phrase "out of the box" to the formal wording
"by default" in the sentence describing client authentication; specifically edit
the sentence that references the ResourceAccessControl tag in the
<IS_HOME>/repository/conf/identity/identity.xml file so it reads that the web
applications provided by default use a set of default credentials to
authenticate with WSO2 Identity Server REST APIs that are marked as secure under
the ResourceAccessControl tag.