Customer's security team reported 12.8 adminui security exception.
As a web server, multiple HTTP Security Headers are not detected with out of box admin ui installation.
X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 8443.
Strict-Transport-Security HTTP Header missing on port 8443
X-XSS-Protection HTTP Header missing on port 8443.
When someone accesses https://adminui.example.com:8443, using developer tools, and by viewing response headers, you will see what is available:
Release : 12.8
Component : SITEMINDER WAM UI
3rd party software WildFly does not have these settings enabled out of box, depending upon the version used.
Engineering provided work around steps for admin ui configuration.
Please ensure you have back up before change starts.
Widlfy headers can be configured in <WAMUI_INSTALL_LOCATION>\SiteMinder\adminui\standalone\configuration\standalone-full.xml.
Below is the example snippet, customer can add response headers, by editing filter-ref and filters tag. After configuring change like below, needs to restart AdminUI.
<server name="default-server">
<http-listener name="default" socket-binding="http"/>
<https-listener enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" security-realm="SSLRealm" socket-binding="https"/>
<host alias="localhost" name="default-host">
<location handler="welcome-content" name="/"/>
<filter-ref name="server-header"/>
<!--filter-ref name="x-powered-by-header"/-->
<filter-ref name="x-frame-options"/>
<filter-ref name="x-xss-protection"/>
<filter-ref name="strict-transport-security"/>
</host>
</server>
<servlet-container name="default">
<jsp-config/>
<websockets/>
</servlet-container>
<handlers>
<file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
</handlers>
<filters>
<response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
<!--response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/-->
<response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
<response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
<response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
</filters>
https://knowledge.broadcom.com/external/article/187914/http-security-header-not-detected.html