Some security teams will mandate that you set HTTP Security Headers in Responses.  This article will discuss setting them in Access Gateway.  These instructions also apply to setting them in stand-alone web server instances such as Apache and IBM HTTP Server (IHS) as well.

HTTP Security Headers are not enabled by default and are considered optional.

Release : Any

Component : SiteMinder Access Gateway

1) Logon to the Access Gateway, Apache or IHS host

2) Open the 'httpd.conf' file

3) Make sure that the 'mod_headers' is being loaded

LoadModule headers_module modules/mod_headers.so

4) Set the following HTTP Headers in the following 'IfModule' directive:

<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>

NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

5) Restart the Access Gateway server

NOTE: If restarting Apache or IHS, make sure to use 'apachtctl' NOT 'systemctl'.

https://knowledge.broadcom.com/external/article/187914/http-security-header-not-detected.html

X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

X-Content-Type-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Strict-Transport-Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security