Do the below steps:
1. Go to <LISA_HOME>/IdentityAccessManager/standalone/configuration folder.
2. Take the back up of standalone.xml
3. Open standalone.xml of configuration folder.
4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host> for ( 10.6)
<subsystem xmlns="urn:jboss:domain:undertow:12.0" > block and look for the <host> tag for (10.7.x)
5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines:
<filter-ref name="X-Frame-Options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="strict-transport-security"/>
<filter-ref name="content-security-policy"/>
<filter-ref name="x-Content-type-options"/>
6. Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0">block for 10.6
or in <subsystem xmlns="urn:jboss:domain:undertow:12.0"> for 10.7.x
<filters>
<response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
<response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;"/>
<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
</filters>
7. What the section looks like after the changes:
</subsystem>
<subsystem xmlns="urn:jboss:domain:undertow:4.0"> or <subsystem xmlns="urn:jboss:domain:undertow:12.0">
<buffer-cache name="default"/>
<server name="default-server">
<http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
<https-listener name="https" socket-binding="https" security-realm="iamRealm" enable-http2="true"/>
<host name="default-host" alias="localhost">
<location name="/" handler="welcome-content"/>
<http-invoker security-realm="ApplicationRealm"/>
<filter-ref name="X-Frame-Options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="strict-transport-security"/>
<filter-ref name="content-security-policy"/>
<filter-ref name="x-Content-type-options"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
<response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;"/>
<response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
</filters>
</subsystem>
8. Save and exit.
9. Restart IAM.
10. Have the security team re-run the scan and this resolves the vulnerability.