Setting HTTP Security Headers on Siteminder Access Gateway
search cancel

Setting HTTP Security Headers on Siteminder Access Gateway

book

Article ID: 208164

calendar_today

Updated On: 04-16-2025

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Some security teams will mandate that you set HTTP Security Headers in Responses. 

Examples:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security

This article will discuss setting them in Siteminder Access Gateway.  

This article also applies to Web Agent when running on Apache or IBM Http Server.

 

Environment

Release : Any

Component : Siteminder Access Gateway

Cause

HTTP Security Headers are not enabled by default and are considered optional.

Resolution

 

  1. Logon to the Siteminder Access Gateway Host

  2. Open the 'httpd.conf' file

    <Install_Dir>/secure-proxy/httpd/conf/httpd.conf

  3. Make sure that the 'mod_headers' is being loaded

    LoadModule headers_module modules/mod_headers.so

  4. Set one or more of the following HTTP Headers in the following 'IfModule' directive:

    <IfModule mod_headers.c>
         Header set X-Frame-Options "SAMEORIGIN"
         Header set X-XSS-Protection "1; mode=block"
         Header set X-Content-Type-Options "nosniff"
         Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
    </IfModule>

    NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

  5. Restart the Access Gateway server using systemctl

    This will set these headers for all virtual servers, for both HTTP and HTTPS requests.

 

Additional Information