HTTP Security Header not detected or exist in admin ui
search cancel

HTTP Security Header not detected or exist in admin ui

book

Article ID: 203486

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

As a web server, multiple HTTP Security Headers are not detected with out of box 12.8 admin ui installation.

X-Frame-Options or Content-Security-Policy: frame-ancestors HTTP Headers missing on port 8443.
Strict-Transport-Security HTTP Header missing on port 8443
X-XSS-Protection HTTP Header missing on port 8443.

When accessing https://adminui.example.com:8443, using developer tools, and viewing response headers, this is what is available:

Environment

Release : 12.8

Component : SITEMINDER WAM UI

Cause

3rd party software WildFly does not have these settings enabled out of box, depending upon the version used.

Resolution

There are work around steps for admin ui configuration.

Please back up admin before any changes.

Widlfy headers can be configured in <WAMUI_INSTALL_LOCATION>\SiteMinder\adminui\standalone\configuration\standalone-full.xml.

Below is the example snippet, one can add response headers, by editing filter-ref and filters tag. After configuring change like below, restart Admin UI. 

<server name="default-server">
                <http-listener name="default" socket-binding="http"/>
                <https-listener enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" security-realm="SSLRealm" socket-binding="https"/>
                <host alias="localhost" name="default-host">
                    <location handler="welcome-content" name="/"/>
                     <filter-ref name="server-header"/>
                     <!--filter-ref name="x-powered-by-header"/-->
                     <filter-ref name="x-frame-options"/>
                     <filter-ref name="x-xss-protection"/>
                     <filter-ref name="strict-transport-security"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>

            <filters>
                <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
                <!--response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/-->
             <response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
             <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
             <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
           </filters>

Powered by Wolken Software