Skip to main content
Version: 0.13.0

Consent Gate and Classification Banners

Kamiwaza can enforce a pre-login consent gate and display classification banners across the UI and any embedded apps. This is designed for security and compliance programs that require a user acknowledgment before access, plus persistent system-high markings.

What this provides

  • Consent gate: A modal overlay shown before login that requires explicit acceptance.
  • Classification banners: Top and bottom banners with configurable text and colors (for example "SECRET").
  • Embeddable script: A single JavaScript include that applies the same behavior in external apps.

Public endpoints

These endpoints are intentionally public (no auth required) so they can be used before login.

  • GET /api/security/public/config
    • Returns the consent/banner configuration consumed by the UI and embed script.
  • POST /api/security/consent/accept
    • Records consent acceptance for audit purposes (client IP + user agent).
  • GET /api/security/embed.js
    • Returns the embeddable JavaScript bundle for banners and consent gate.

Embedding the script

Add the following tag to any app that should mirror Kamiwaza's consent and banner behavior:

<script src="https://<gateway-host>/api/security/embed.js"></script>

The script:

  • Fetches /api/security/public/config
  • Renders banners at the top and bottom of the page
  • Enforces a consent gate until accepted
  • Fails closed (shows the gate with a retry option if config fetch fails)

Consent is tracked in session storage for the browser session and is also recorded server-side for audit logs.

Configuration

Deployment settings

Set these through your deployment values, ConfigMaps, or equivalent environment configuration workflow:

VariableDescriptionDefault
KAMIWAZA_SECURITY_CONSENT_ENABLEDEnable the consent gatefalse
KAMIWAZA_SECURITY_CONSENT_BUTTON_LABELCustom button labelAccept
KAMIWAZA_SECURITY_BANNER_ENABLEDEnable classification bannersfalse
KAMIWAZA_SECURITY_BANNER_TOP_TEXTText for the top banner(none)
KAMIWAZA_SECURITY_BANNER_TOP_COLORHex color for top banner(none)
KAMIWAZA_SECURITY_BANNER_BOTTOM_TEXTText for the bottom bannerDefaults to top text
KAMIWAZA_SECURITY_BANNER_BOTTOM_COLORHex color for bottom bannerDefaults to top color

Consent HTML is loaded from:

$KAMIWAZA_ROOT/config/security/consent.html

If the file is missing, a default short message is used. In customer deployments, manage any custom consent content through the supported configuration and release process for your environment rather than editing files directly in running containers.

Operational notes

  • Consent and banners are purely UI-level controls. They do not replace API authentication or authorization.
  • For system-high or CAPCO-aligned deployments, keep banner text aligned with your site classification policy.
  • If you embed the script in external apps, make sure those apps are reachable through the same gateway so the script can resolve the correct API origin.