Customer noticed that customer headers were missing only when they reached the login.fcc

book

Article ID: 111098

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



In their Apache httpd.conf they had used the following to set the headers:

Header set X-Content-Type-Options: nosniff 
Header set X-XSS-Protection 1; mode=block

These headers were missing when the login.fcc was reached and customer wanted to know why as they were visible before and after CA SSO Authentication.

On the initial GET 200 to the login.fcc, the headers are seen:

HTTP/1.1 200 OK 
Date: Tue, 17 Jul 2018 23:23:49 GMT 
Server: Apache/2.2.15 (Red Hat) 
Set-Cookie: SMLOCALE=en-US; path=/ 
Cache-Control: no-store 
Content-Length: 3191 
X-XSS-Protection: 1; mode=block 
X-Content-Type-Options: nosniff 
Connection: close 
Content-Type: text/html;charset=UTF-8 


But on the POST 302 they are missing. 

HTTP/1.1 302 Found 
Date: Tue, 17 Jul 2018 23:23:57 GMT 
Server: Apache/2.2.15 (Red Hat) 
Set-Cookie: SMLOCALE=en-US; path=/ 
Set-Cookie: SMTRYNO=; expires=Thu, 18 Jan 2018 23:23:57 GMT; path=/; domain=.ca.com 
Set-Cookie: SMSESSION=RVdMwmtF0l1QKx1<<<edit>>>IfJxrZ/F3Zbj0emgC; path=/; domain=.ca.com 
Cache-Control: no-store 
Location: https://urldefense.proofpoint.com/v2/url?u=http-3A__iamr6u5b.ca.com_apachepage&d=DwICAw&c=7gn0PlAmraV3zr-k385KhKAz9NTx0dwockj5vIsr5Sw&r=PwNG0nY5WytEhT8KuAuER-2XhOPaNoobWgLdweIeYFM&m=3Fy2FxN4DfN8z6rM3tSpVgvarHU0M7_mzS679FUa8P8&s=-pBqafjUqg-7r3OXlU9iOFT5K49_zSnK9oaAEJzGWEI&e= 
Content-Length: 299 
Connection: close 
Content-Type: text/html; charset=iso-8859-1 

Then present again upon arrival at the target resource via GET 200: 

HTTP/1.1 200 OK 
Date: Tue, 17 Jul 2018 23:23:57 GMT 
Server: Apache/2.2.15 (Red Hat) 
Last-Modified: Tue, 14 Jun 2016 20:06:41 GMT 
ETag: "7fd38-27-535428b1e23d7" 
Accept-Ranges: bytes 
Content-Length: 39 
X-XSS-Protection: 1; mode=block 
X-Content-Type-Options: nosniff 
Connection: close 
Content-Type: text/html; charset=UTF-8 

Environment

CA SSO Web Agent - Any
Apache Webservers

Resolution

We need to add the word "always" to the header set in the httpd.conf.

Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff

The "always" means the header will be set for more than just 200 responses.