Protected Web Pages are missing security headers in SPS and Web Agent
Article ID: 186869
Updated On: 03-20-2025
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
It was observed that the application was not sending security directives to the client's browser like Content Security Policy (1), X-XSS Protection (2), HSTS (HTTP Strict Transport Security) (3), and X-Content-Type-Options (4).
Resolution
Mainly, the control of these headers is maintained and configured at the Web Server level such as IIS (5) and Apache (6).
Siteminder doesn't have a direct and specific configuration to implement:
- Content Security Policy (CSP). Follow the guidance from Mozilla (7);
- X-XSS-protection header (8), but it generally has some configurations to limit the scope of XSS (9);
- Strict-transport-security (10), some configurations to help make the integration more secure (11);
- X-Content-Type-Options (12).
Additional Information
- Content-Security-Policy (CSP)
- X-XSS-Protection - Preventing Cross-Site Scripting Attacks
- Strict-Transport-Security
- X-Content-Type-Options
- Custom Headers <customHeaders>
- Apache Module mod_headers
- Content-Security-Policy
- X-XSS-Protection
- Vulnerability 6 : Format String Attack
- Strict-Transport-Security
- Implementing HSTS on Federation SPS
- X-Content-Type-Options
Feedback
Was this article helpful?
Yes
No
Powered by
