Access Gateway Server Vulnerability - Missing HTTP Strict-Transport-Security (HSTS) response header

book

Article ID: 209328

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Vulnerability team did penetration test and found this issue.
HSTS Missing From HTTPS Server (RFC 6797)
How can we fix this in the Access Gateway?

Cause

"HSTS stands for HTTP Strict Transport Security. The main objective of HSTS is to protect websites against various attacks like SSL strip, Cookie Hijacking, Downgrade attack etc.  RFC 6797 covers the exact IETF standardized functionality of HSTS. HSTS enables servers to declare to other entities (Web browsers, Applications etc) to communicate to the server only via HTTPS connection. This is done by web server by setting Strict-Transport-Security HTTP response header field.
"

Environment

Release : 12.8

Component : SITEMINDER SECURE PROXY SERVER

Resolution

The solution is editing Access Gateway Server web server configuration, for example:
SPS_HOME/extra/httpd-ssl.conf file in the <VirtualHost _default_:443> block:
...
<VirtualHost _default_:443>
 Header always set Strict-Transport-Security "max-age=63072000"
....
</VirtualHost>

Additional Information

https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=761407

https://support.citrix.com/article/CTX205221