Setting HTTP Security Headers on Siteminder Access Gateway
search cancel

Setting HTTP Security Headers on Siteminder Access Gateway

book

Article ID: 208164

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Some security teams will mandate that you set HTTP Security Headers in Responses. 

Examples:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security

This article will discuss setting them in Access Gateway.  

Environment

Release : Any

Component : SiteMinder Access Gateway

Cause

HTTP Security Headers are not enabled by default and are considered optional.

Resolution

1) Logon to the Siteminder Access Gateway Host

2) Open the 'httpd.conf' file

3) Make sure that the 'mod_headers' is being loaded

LoadModule headers_module modules/mod_headers.so

4) Set the following HTTP Headers in the following 'IfModule' directive:

<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>

NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

5) Restart the Access Gateway server using systemctl

 

 

Additional Information

https://knowledge.broadcom.com/external/article/187914/http-security-header-not-detected.html

X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

X-Content-Type-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Strict-Transport-Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security