Setting HTTP Security Headers on Siteminder Agent for IIS
Article ID: 254465
Updated On:
Products
Issue/Introduction
Security teams may mandate that you set HTTP Security Headers in Responses.
EXAMPLES:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
These instructions apply to setting them in stand-alone web server instances of MS IIS being protected by the Symantec Siteminder Web Agent for IIS.
Environment
Release: 12.52 SP1 CR11 Web Agent for IIS
IIS Version: 10
Cause
HTTP Security Headers are not a function of the Symantec Siteminder Web Agent. Rather they are enabled and configured at the Web Server. These are not set by default by any web servers.
Resolution
Configure HTTP Security Headers in Responses on an MS IIS Web Server
1) Launch IIS Manager
2) In the connections pane, expand the node for the server, and then expand Sites.
3) Select the web site where you want to add the custom HTTP response headers.
4) In the web site pane, double-click HTTP Response Headers in the IIS section.
5) In the actions pane, select Add.
6) In the Name box, type the custom HTTP header name.
7) In the Value box, type the custom HTTP header value.
example:
X-Frame-Options "SAMEORIGIN"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Strict-Transport-Security "max-age=63072000; includeSubDomains"
8) Select OK after each entry
9) Restart the IIS Server.
Additional Information
Feedback
