Do the below steps:

 

1. Go to <LISA_HOME>/IdentityAccessManager/standalone/configuration folder.

 

 

3. Open standalone.xml of configuration folder.

 

4. Search for <subsystem xmlns="urn:jboss:domain:undertow:4.0"> block. It has a tag name <host> for ( 10.6)

<subsystem xmlns="urn:jboss:domain:undertow:12.0" > block  and look for the <host> tag  for (10.7.x)

 

5. In the <host > tag and below <http-invoker security-realm="ApplicationRealm"/>, add the below lines: 

    <filter-ref name="X-Frame-Options"/>
    <filter-ref name="x-xss-protection"/>
    <filter-ref name="strict-transport-security"/>
    <filter-ref name="content-security-policy"/>
    <filter-ref name="x-Content-type-options"/>

  
6. Now add the below lines under <handlers></handlers> tag in the same <subsystem xmlns="urn:jboss:domain:undertow:4.0">block for 10.6

    or in <subsystem xmlns="urn:jboss:domain:undertow:12.0">   for 10.7.x

 

    <filters>
       <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
       <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
       <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
       <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
       <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
    </filters>
 
7. What the section looks like after the changes:

 

        </subsystem>
      <subsystem xmlns="urn:jboss:domain:undertow:4.0"> or   <subsystem xmlns="urn:jboss:domain:undertow:12.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="iamRealm" enable-http2="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>

                    <filter-ref name="X-Frame-Options"/>
                    <filter-ref name="x-xss-protection"/>
                    <filter-ref name="strict-transport-security"/>
                    <filter-ref name="content-security-policy"/>
                    <filter-ref name="x-Content-type-options"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>

            <filters>
                <response-header name="X-Frame-Options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
                <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
                <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains"/>
                <response-header name="content-security-policy" header-name="content-security-policy" header-value="default-src ; style-src 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline';         connect-src * 'unsafe-inline'; frame-src *;"/>
                <response-header name="x-Content-type-options" header-name="X-Content-Type-Options" header-value="nosniff"/>
            </filters>
        </subsystem>

8. Save and exit.
9. Restart IAM.
10. Have the security team re-run the scan and this resolves the vulnerability.