ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

HTTP Security Header Not Detected

book

Article ID: 187914

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We received an audit finding from our internal vulnerability team on Siteminder.

HTTP Security Header Not Detected

Customers are advised to set proper HTTP response headers:

X-Frame-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options)

X-XSS-Protection (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection)

Content Security Policy (https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

X-Content-Type-Options (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options)

Strict-Transport-Security (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)

Depending on their server software, customers can set directives in their site configuration or Web.config files.

Resolution

The vulnerability is not typically caused by Siteminder, rather it usually refers to IIS, Apache, other web servers, etc.
If there is a specific Siteminder component being implicated please let us know the details.
Otherwise, your web server team should address the vulnerability independent of Siteminder/SSO.
There are many web articles explaining how to remediate this vulnerability if you search for "HTTP Security Header Not Detected."