Setting HTTP Security Headers on Access Gateway

book

Article ID: 208164

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Some security teams will mandate that you set HTTP Security Headers in Responses.  This article will discuss setting them in Access Gateway.  These instructions also apply to setting them in stand-alone web server instances such as Apache and IBM HTTP Server (IHS) as well.

Cause

HTTP Security Headers are not enabled by default and are considered optional.

Environment

Release : Any

Component : SiteMinder Access Gateway

Resolution

1) Logon to the Access Gateway, Apache or IHS host

2) Open the 'httpd.conf' file

3) Make sure that the 'mod_headers' is being loaded

LoadModule headers_module modules/mod_headers.so

4) Set the following HTTP Headers in the following 'IfModule' directive:

<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>

NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

5) Restart the Access Gateway server

NOTE: If restarting Apache or IHS, make sure to use 'apachtctl' NOT 'systemctl'.

 

Additional Information

https://knowledge.broadcom.com/external/article/187914/http-security-header-not-detected.html

X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

X-Content-Type-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Strict-Transport-Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security