Content-Security-Policy, X-Content-Type-Options, Strict-Transport-Security, X-XSS-Protection and HTTP Security Header not detected in AdminUI (WAMUI)
search cancel

Content-Security-Policy, X-Content-Type-Options, Strict-Transport-Security, X-XSS-Protection and HTTP Security Header not detected in AdminUI (WAMUI)

book

Article ID: 203486

calendar_today

Updated On: 05-20-2025

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Running an AdminUI, multiple HTTP Security Headers are not detected with out of box 12.8 AdminUI installation.

The browser doesn't receive these headers.

The HTTP Headers missing on port 8443:

  • Strict-Transport-Security
  • X-Frame-Options or Content-Security-Policy: frame-ancestors
  • X-XSS-Protection HTTP

When accessing https://adminui.example.com:8443, using developer tools, and viewing response headers, the "Response Headers" has none of the above headers set:

 

 

Environment

AdminUI 12.8

Cause

The 3rd party software WildFly (AdminUI prerequisites) doesn't have these settings enabled out of box, depending upon the version used.

Resolution

To enable those Response Headers, follow these steps to edit the AdminUI (WAMUI) configuration:

  1. - Take a backup of the AdminUI file:

    <ADMINUI_INSTALL_LOCATION>\SiteMinder\adminui\standalone\configuration\standalone-full.xml

  2. Edit the Widlfy configuration file to add these headers in:

    <ADMINUI_INSTALL_LOCATION>\SiteMinder\adminui\standalone\configuration\standalone-full.xml

    to add response headers, by editing "filter-ref" and "response headers":

    <server name="default-server">
         <http-listener name="default" socket-binding="http"/>
         <https-listener enabled-cipher-suites="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" enabled-protocols="TLSv1.1,TLSv1.2" name="https" security-realm="SSLRealm" socket-binding="https"/>
         <host alias="localhost" name="default-host">
            <location handler="welcome-content" name="/"/>
              <filter-ref name="server-header"/>
              <filter-ref name="x-frame-options"/>
              <filter-ref name="x-xss-protection"/>
              <filter-ref name="strict-transport-security"/>
        </host>
    </server>
      
      <servlet-container name="default">
         <jsp-config/>
            <websockets/>
      </servlet-container>

    <handlers>
        <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
    </handlers>

    <filters>
        <response-header name="server-header" header-name="Server" header-value="WildFly/8"/>
        <response-header name="x-frame-options" header-name="X-Frame-Options" header-value="SAMEORIGIN"/>
        <response-header name="x-xss-protection" header-name="X-XSS-Protection" header-value="1; mode=block"/>
        <response-header name="strict-transport-security" header-name="Strict-Transport-Security" header-value="max-age=31536000; includeSubDomains;"/>
      </filters>

  3. Restart the AdminUI.