Setting HTTP Security Headers on Siteminder Access Gateway
search cancel

Setting HTTP Security Headers on Siteminder Access Gateway

book

Article ID: 208164

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Some security teams will mandate that you set HTTP Security Headers in Responses. 

Examples:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security

This article will discuss setting them in Siteminder Access Gateway.  

Environment

Release : Any

Component : Siteminder Access Gateway

Cause

HTTP Security Headers are not enabled by default and are considered optional.

Resolution

1) Logon to the Siteminder Access Gateway Host

2) Open the 'httpd.conf' file

<Install_Dir>/secure-proxy/httpd/conf/httpd.conf

3) Make sure that the 'mod_headers' is being loaded

LoadModule headers_module modules/mod_headers.so

4) Set one or more of the following HTTP Headers in the following 'IfModule' directive:

<IfModule mod_headers.c>
     Header set X-Frame-Options "SAMEORIGIN"
     Header set X-XSS-Protection "1; mode=block"
     Header set X-Content-Type-Options "nosniff"
     Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>

NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

5) Restart the Access Gateway server using systemctl

This will set these headers for all virtual servers, for both HTTP and HTTPS requests.

 

Additional Information

X-Frame-Options

X-XSS-Protection

X-Content-Type-Options

Strict-Transport-Security

 

Powered by Wolken Software