search cancel

Protected Web Pages are missing security headers in SPS and Web Agents

book

Article ID: 186869

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

It was observed that the application was not sending security directives to the client's browser like Content Security Policy (1), X-XSS Protection (2), HSTS (HTTP Strict Transport Security) (3), and X-Content-Type-Options (4).

 

Resolution

 

Mainly, the control of these headers is maintained and configured at the Web Server level such as IIS (5) and Apache (6).

Siteminder doesn't have a direct and specific configuration to implement:

  • Content Security Policy (CSP). Follow guidance from Mozilla (7).
  • X-XSS-protection header (8), but it generally has some configurations to limit the scope of XSS (9).
  • Strict-transport-security (10), but some configurations to help make the integration more secure (11).
  • X-Content-Type-Options (12).

Additional Information

 

(1)

    Security Best Practices

       Content Security Policy:

       The content-security-policy HTTP header provides an additional layer of security. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved and thus allowing the browser to load them.

(2)

    X-XSS-Protection - Preventing Cross-Site Scripting Attacks

      X-XSS Protection:

      The X-XSS-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default but using it will enforce it. It is supported by Internet Explorer 8+, Chrome, and Safari.

(3)

    Security Best Practices

      HTTP Strict Transport Security (HSTS):

      The strict-transport-security header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection which could be susceptible to attacks.

(4)

    Security Best Practices

      X-Content-Type-Options:

      The x-content-type-options header prevents Internet Explorer and Google Chrome from sniffing a response away from the declared content-type. This helps reduce the danger of drive-by downloads and helps treat the content properly.

(5)

    Custom Headers <customHeaders>
    

(6)

    Apache Module mod_headers
    

    
(7)

    Content-Security-Policy
    

(8)

    X-XSS-Protection
    

(9)
    
    Vulnerability 6  : Format String Attack
    

(10)

    Strict-Transport-Security
    

(11)

    Implementing HSTS on Federation SPS
    

(12)

    X-Content-Type-Options