HTTP Security Header Not Detected
search cancel

HTTP Security Header Not Detected


Article ID: 187914


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER


We received an audit finding from our internal vulnerability team on Siteminder.

HTTP Security Header Not Detected

Customers are advised to set proper HTTP response headers:

X-Frame-Options (

X-XSS-Protection (

Content Security Policy (

X-Content-Type-Options (

Strict-Transport-Security (

Depending on their server software, customers can set directives in their site configuration or Web.config files.


The vulnerability is not typically caused by Siteminder, rather it usually refers to IIS, Apache, other web servers, etc.
If there is a specific Siteminder component being implicated please let us know the details.
Otherwise, your web server team should address the vulnerability independent of Siteminder/SSO.
There are many web articles explaining how to remediate this vulnerability if you search for "HTTP Security Header Not Detected."