Access Gateway Server Vulnerability - Missing HTTP Strict-Transport-Security (HSTS) response header
search cancel

Access Gateway Server Vulnerability - Missing HTTP Strict-Transport-Security (HSTS) response header

book

Article ID: 209328

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Vulnerability team did penetration test and found this issue.
HSTS Missing From HTTPS Server (RFC 6797)
How can we fix this in the Access Gateway?

Environment

Release : 12.8.x

Component : SITEMINDER SECURE PROXY SERVER

Cause

"HSTS stands for HTTP Strict Transport Security. The main objective of HSTS is to protect websites against various attacks like SSL strip, Cookie Hijacking, Downgrade attack etc.  RFC 6797 covers the exact IETF standardized functionality of HSTS. HSTS enables servers to declare to other entities (Web browsers, Applications etc.) to communicate to the server only via HTTPS connection. This is done by web server by setting Strict-Transport-Security HTTP response header field.
"

Resolution

The solution is editing Access Gateway Server web server configuration, for example:
SPS_HOME/extra/httpd-ssl.conf file in the <VirtualHost _default_:443> block:
...
<VirtualHost _default_:443>
 Header always set Strict-Transport-Security "max-age=63072000"
....
</VirtualHost>
 
!! Important !!
You must ensure the mod_headers.so is loaded in the httpd.conf to ensure this "Header" command is recognized by httpd.
Otherwise the httpd service will fail to start.
LoadModule headers_module modules/mod_headers.so

Additional Information

https://support.citrix.com/article/CTX205221

Powered by Wolken Software