The security team has found the vulnerabilities in the CA Access Gateway (SPS) servers:

Missing Content Security Policy Header
Server Banner Disclosure

What are the remediation steps?

SiteMinder CA Access Gateway (SPS)

HTTP Security Headers are not enabled by default and are considered optional.

Sometimes security teams will mandate to set HTTP Security Headers in responses:

• X-Frame-Options (1);
• X-XSS-Protection (2);
• X-Content-Type-Options (3);
• Strict-Transport-Security (4).

Steps:

1. Logon to the CA Access Gateway (SPS) host;
2. Open the 'httpd.conf' file
   

   <Install_Dir>/secure-proxy/httpd/conf/httpd.conf

3. Make sure that the 'mod_headers' module is configured to be loaded:
   

   LoadModule headers_module modules/mod_headers.so

4. Set one or more of the following HTTP Headers in the following 'IfModule' directive:
   

   <IfModule mod_headers.c>
        Header set X-Frame-Options "SAMEORIGIN"
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options "nosniff"
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
   </IfModule>

   
   NOTE:
   
   The security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.
   
   
5. Restart the CA Access Gateway (SPS) server using the systemctl command.
   
   This will set these headers for all virtual servers, for both HTTP and HTTPS requests.

The same modifications applies to Web Agent when running on Apache or IBM HTTP Server.

1. X-Frame-Option
   
   
2. X-XSS-Protection
   
   
3. X-Content-Type-Options
   
   
4. Strict-Transport-Security