Some security teams will mandate that you set HTTP Security Headers in Responses.
Examples:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
This article will discuss setting them in Access Gateway.
Release : Any
Component : SiteMinder Access Gateway
HTTP Security Headers are not enabled by default and are considered optional.
1) Logon to the Siteminder Access Gateway Host
2) Open the 'httpd.conf' file
3) Make sure that the 'mod_headers' is being loaded
LoadModule headers_module modules/mod_headers.so
4) Set the following HTTP Headers in the following 'IfModule' directive:
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.
5) Restart the Access Gateway server using systemctl
https://knowledge.broadcom.com/external/article/187914/http-security-header-not-detected.html
X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
X-XSS-Protection: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
X-Content-Type-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
Strict-Transport-Security: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security