Customer noticed that customer headers were missing only when they reached the login.fcc
Article ID: 111098
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
AXIOMATICS POLICY SERVER
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
In their Apache httpd.conf they had used the following to set the headers:
Header set X-Content-Type-Options: nosniff
Header set X-XSS-Protection 1; mode=block
These headers were missing when the login.fcc was reached and customer wanted to know why as they were visible before and after CA SSO Authentication.
On the initial GET 200 to the login.fcc, the headers are seen:
HTTP/1.1 200 OK
Date: Tue, 17 Jul 2018 23:23:49 GMT
Server: Apache/2.2.15 (Red Hat)
Set-Cookie: SMLOCALE=en-US; path=/
Cache-Control: no-store
Content-Length: 3191
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html;charset=UTF-8
But on the POST 302 they are missing.
HTTP/1.1 302 Found
Date: Tue, 17 Jul 2018 23:23:57 GMT
Server: Apache/2.2.15 (Red Hat)
Set-Cookie: SMLOCALE=en-US; path=/
Set-Cookie: SMTRYNO=; expires=Thu, 18 Jan 2018 23:23:57 GMT; path=/; domain=.ca.com
Set-Cookie: SMSESSION=RVdMwmtF0l1QKx1<<<edit>>>IfJxrZ/F3Zbj0emgC; path=/; domain=.ca.com
Cache-Control: no-store
Location: https://urldefense.proofpoint.com/v2/url?u=http-3A__iamr6u5b.ca.com_apachepage&d=DwICAw&c=7gn0PlAmraV3zr-k385KhKAz9NTx0dwockj5vIsr5Sw&r=PwNG0nY5WytEhT8KuAuER-2XhOPaNoobWgLdweIeYFM&m=3Fy2FxN4DfN8z6rM3tSpVgvarHU0M7_mzS679FUa8P8&s=-pBqafjUqg-7r3OXlU9iOFT5K49_zSnK9oaAEJzGWEI&e=
Content-Length: 299
Connection: close
Content-Type: text/html; charset=iso-8859-1
Then present again upon arrival at the target resource via GET 200:
HTTP/1.1 200 OK
Date: Tue, 17 Jul 2018 23:23:57 GMT
Server: Apache/2.2.15 (Red Hat)
Last-Modified: Tue, 14 Jun 2016 20:06:41 GMT
ETag: "7fd38-27-535428b1e23d7"
Accept-Ranges: bytes
Content-Length: 39
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Environment
CA SSO Web Agent - Any
Apache Webservers
Apache Webservers
Resolution
We need to add the word "always" to the header set in the httpd.conf.
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
The "always" means the header will be set for more than just 200 responses.
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff
The "always" means the header will be set for more than just 200 responses.
Feedback
Yes
No
Powered by
