Docs restructure related to security guidelines

[hwupathum]

Purpose

Related PRs

Test environment

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines?
• Ran FindSecurityBugs plugin and verified report?
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets?

Summary by CodeRabbit

• Documentation
  • Consolidated product-level security guidelines into a single centrally maintained source, ensuring consistent guidance across versions.
  • Clarified that keystore and private key passwords are required for decrypting secrets at startup and pointed to options for providing them.

[coderabbitai]

Walkthrough

Replaced inline product-level security guideline files in four versioned docs with a single shared include and added a short clarification to encrypted-passwords documentation, consolidating content sourcing while keeping rendered guidance unchanged.

Changes

Cohort / File(s)	Summary
Shared Include Added en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md	New consolidated product-level security guidelines (≈342 lines) covering keystores, passwords, TLS/HTTPS, logging, JVM params, mutual TLS/client auth, external systems, and version-templated content.
Versioned Docs Replaced with Include en/identity-server/7.0.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md, en/identity-server/7.1.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md, en/identity-server/7.2.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md, en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md	Removed full inline guideline content and replaced each file with a single include directive referencing the new shared include (previous content removed).
Encryption Passwords Note en/includes/deploy/security/encrypt-passwords-with-cipher-tool.md	Added note clarifying the server requires keystore and private key passwords to decrypt secrets at startup and referenced options to supply them.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibbled docs from many a tree,
Tucked them into one neat spree,
An include now binds what once was wide,
Secure and tidy — I hop with pride! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete with all required sections left blank (Purpose, Related PRs, Test environment all empty) and security checkboxes unchecked, providing no context for the documentation restructuring.	Fill in the Purpose section explaining the restructuring rationale, list any related PRs or issues, note the test environment (if applicable for docs), and verify security checks are completed or marked appropriately.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Docs restructure related to security guidelines' accurately reflects the main change: restructuring security guideline documentation by consolidating content into a shared include file across multiple versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (4)

en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md (4)

65-65: Clarify the phrasing for better readability.

The phrase "go through a user" is unclear. Use more precise language.

♻️ Proposed refactor

-When connecting WSO2 Identity Server to external databases or userstores (LDAP), make sure to go through a user who does not have permission to change the data store's schema.
+When connecting WSO2 Identity Server to external databases or userstores (LDAP), use a user account that does not have permission to change the data store's schema.

As per coding guidelines: "Use precise nouns and strong verbs; avoid vague verbs such as handle, manage, deal with, perform, and utilize."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 65, Replace the unclear phrase "go through a user who does not have
permission to change the data store's schema" with a precise instruction: reword
the sentence in the WSO2 Identity Server guidance to say something like "connect
using a user account that does not have permission to modify the data store
schema" (or similar), ensuring it refers to connecting to external databases or
userstores (LDAP) and uses the noun "user account" and the verb "connect" for
clarity.

---

61-61: Consider using more direct, active voice.

The sentence uses a passive construction. Consider making it more direct and action-oriented.

♻️ Proposed refactor

-To ensure adequate network-level protection, all connections from your WSO2 Identity Server to external databases, userstores (LDAP), or other services should be over TLS. Therefore, make sure to use **TLS-enabled external systems**.
+To ensure adequate network-level protection, use TLS for all connections from your WSO2 Identity Server to external databases, userstores (LDAP), or other services. Therefore, make sure to use **TLS-enabled external systems**.

As per coding guidelines: "Reduce unnecessary use of weak 'be' verbs (am, is, are, was, were) and prefer direct verbs."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 61, Rewrite the passive sentence "To ensure adequate network-level
protection, all connections from your WSO2 Identity Server to external
databases, userstores (LDAP), or other services should be over TLS. Therefore,
make sure to use **TLS-enabled external systems**." into a direct, active voice
instruction; for example, start with an imperative like "Use TLS for all
connections from WSO2 Identity Server to external databases, userstores (LDAP),
and other services" and replace the second sentence with a concise active
reinforcement such as "Ensure external systems have TLS enabled." Update the
lines containing that sentence in product-level-security-guidelines.md
accordingly.

---

72-72: Consider using more direct phrasing.

The phrase "To have" uses a weak verb. Consider a more direct construction.

♻️ Proposed refactor

-To have strong transport-level security, use **TLS 1.3** (recommended) or at minimum **TLS 1.2**, and disable SSL, TLS 1.0, and 1.1.
+For strong transport-level security, use **TLS 1.3** (recommended) or at minimum **TLS 1.2**, and disable SSL, TLS 1.0, and 1.1.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 72, Replace the weak-verb opening "To have strong transport-level
security, use **TLS 1.3** (recommended) or at minimum **TLS 1.2**, and disable
SSL, TLS 1.0, and 1.1." with a more direct construction such as "Use **TLS 1.3**
(recommended) or at minimum **TLS 1.2** for strong transport-level security;
disable SSL, TLS 1.0, and TLS 1.1." — update the sentence in
product-level-security-guidelines.md where that exact line appears.

---

105-105: Consider leading with the action for clarity.

The sentence structure could be more direct by stating the action first.

♻️ Proposed refactor

-If there are dynamic pages in your application with sensitive information, you need to prevent browser caching. This can be done by making sure that the applications deployed in your server will return the relevant HTTP response headers.
+Prevent browser caching for dynamic pages in your application that contain sensitive information. This can be done by making sure that the applications deployed in your server will return the relevant HTTP response headers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 105, Rewrite the sentence to lead with the actionable instruction:
replace "If there are dynamic pages in your application with sensitive
information, you need to prevent browser caching. This can be done by making
sure that the applications deployed in your server will return the relevant HTTP
response headers." with a direct directive such as "Prevent browser caching for
dynamic pages that contain sensitive information by ensuring your server returns
the appropriate HTTP response headers." Update the sentence in
product-level-security-guidelines.md where that paragraph appears so it starts
with the action and keeps the same meaning about returning relevant HTTP
response headers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Line 1: The top-level heading "# Product-Level Security Guidelines for
Production Deployment" should use sentence case; replace it with "#
Product-level security guidelines for production deployment" so only the first
word is capitalized and proper nouns (none here) are preserved.

---

Nitpick comments:
In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Line 65: Replace the unclear phrase "go through a user who does not have
permission to change the data store's schema" with a precise instruction: reword
the sentence in the WSO2 Identity Server guidance to say something like "connect
using a user account that does not have permission to modify the data store
schema" (or similar), ensuring it refers to connecting to external databases or
userstores (LDAP) and uses the noun "user account" and the verb "connect" for
clarity.
- Line 61: Rewrite the passive sentence "To ensure adequate network-level
protection, all connections from your WSO2 Identity Server to external
databases, userstores (LDAP), or other services should be over TLS. Therefore,
make sure to use **TLS-enabled external systems**." into a direct, active voice
instruction; for example, start with an imperative like "Use TLS for all
connections from WSO2 Identity Server to external databases, userstores (LDAP),
and other services" and replace the second sentence with a concise active
reinforcement such as "Ensure external systems have TLS enabled." Update the
lines containing that sentence in product-level-security-guidelines.md
accordingly.
- Line 72: Replace the weak-verb opening "To have strong transport-level
security, use **TLS 1.3** (recommended) or at minimum **TLS 1.2**, and disable
SSL, TLS 1.0, and 1.1." with a more direct construction such as "Use **TLS 1.3**
(recommended) or at minimum **TLS 1.2** for strong transport-level security;
disable SSL, TLS 1.0, and TLS 1.1." — update the sentence in
product-level-security-guidelines.md where that exact line appears.
- Line 105: Rewrite the sentence to lead with the actionable instruction:
replace "If there are dynamic pages in your application with sensitive
information, you need to prevent browser caching. This can be done by making
sure that the applications deployed in your server will return the relevant HTTP
response headers." with a direct directive such as "Prevent browser caching for
dynamic pages that contain sensitive information by ensuring your server returns
the appropriate HTTP response headers." Update the sentence in
product-level-security-guidelines.md where that paragraph appears so it starts
with the action and keeps the same meaning about returning relevant HTTP
response headers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 03dbcb66-c44b-4810-8584-3377eb44e78a

📥 Commits

Reviewing files that changed from the base of the PR and between 8d374cd and 6a8a1fb.

📒 Files selected for processing (6)

• en/identity-server/7.0.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/identity-server/7.1.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/identity-server/7.2.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/includes/deploy/security/encrypt-passwords-with-cipher-tool.md
• en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Use sentence case for the heading.

The heading should follow sentence case, capitalizing only the first word and proper nouns.

📝 Proposed fix

-# Product-Level Security Guidelines for Production Deployment
+# Product-level security guidelines for production deployment

As per coding guidelines: "Use sentence case for all headings and document titles, capitalizing only the first word and proper nouns."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 1, The top-level heading "# Product-Level Security Guidelines for
Production Deployment" should use sentence case; replace it with "#
Product-level security guidelines for production deployment" so only the first
word is capitalized and proper nouns (none here) are preserved.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`:
- Line 7: Replace the non-descriptive link text "here" in the sentence "For more
information, see [here]({{base_path}}/deploy/get-started/get-wso2-updates/)"
with a descriptive phrase such as "instructions to get WSO2 updates" (or
similar) so the link text clearly indicates the destination; update the markdown
link target to use that descriptive text while keeping the existing
URL/templated path.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6db63b96-d85f-43e0-8653-d4e7a8b074ee

📥 Commits

Reviewing files that changed from the base of the PR and between 6a8a1fb and 7f74d55.

📒 Files selected for processing (6)

• en/identity-server/7.0.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/identity-server/7.1.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/identity-server/7.2.0/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/includes/deploy/security/encrypt-passwords-with-cipher-tool.md
• en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md

🚧 Files skipped from review as they are similar to previous changes (2)

• en/identity-server/next/docs/deploy/security/security-guidelines/product-level-security-guidelines.md
• en/includes/deploy/security/encrypt-passwords-with-cipher-tool.md

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Use descriptive link text instead of "here".

The link text "here" does not describe the destination. Replace it with text that indicates what the user will find, such as "instructions to get WSO2 updates" or similar.

🔗 Proposed fix

-Apply all the security patches relevant to your WSO2 Identity Server version. For more information, see [here]({{base_path}}/deploy/get-started/get-wso2-updates/)
+Apply all the security patches relevant to your WSO2 Identity Server version. See [Get WSO2 updates]({{base_path}}/deploy/get-started/get-wso2-updates/) for instructions.

As per coding guidelines: "Use descriptive link text and do not paste raw URLs as link text."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Apply all the security patches relevant to your WSO2 Identity Server version. For more information, see [here]({{base_path}}/deploy/get-started/get-wso2-updates/)
	Apply all the security patches relevant to your WSO2 Identity Server version. See [Get WSO2 updates]({{base_path}}/deploy/get-started/get-wso2-updates/) for instructions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@en/includes/deploy/security/security-guidelines/product-level-security-guidelines.md`
at line 7, Replace the non-descriptive link text "here" in the sentence "For
more information, see
[here]({{base_path}}/deploy/get-started/get-wso2-updates/)" with a descriptive
phrase such as "instructions to get WSO2 updates" (or similar) so the link text
clearly indicates the destination; update the markdown link target to use that
descriptive text while keeping the existing URL/templated path.