A security policy may mandate that the HTTP "Content-Security-Policy" (CSP) response header be set as a measure to prevent Cross-Site Scripting (XSS).
A security audit may flag a Siteminder Access Gateway Server as not setting the 'content-security-policy' response header.
The HTTP 'content-security-policy' response header allows website admins to create policies to control what resources a web browser can load, as well as the servers and URL's they can load them from. The 'content-security-policy' response header is set by the web server.
The Siteminder Access Gateway Server bundles an instance of Apache HTTP Server, however CSP is not set by default.
This document discusses how to configure the Siteminder Access Gateway Server to set the "Content-Security-Policy" (CSP) response header.
PRODUCT: Symantec Siteminder
COMPONENT: Access Gateway Server
VERSION : 12.8.x
OPERATING SYSTEM: Any
Symantec Siteminder bundles Apache HTTP Server with Access Gateway. The 'content-security-policy' response header is not configured by default.
On a Siteminder Access Gateway Server, the "Content-Security-Policy" response header can be set in the 'httpd.conf' file:
<Install_Dir>/CA/secure-proxy/httpd/conf/httpd.conf
SYNTAX: Header set Content-Security-Policy: <policy-directive>; <policy-directive>
NOTE:
Each 'policy-directive' is comprised of a Directive and one or more values wrapped in single-quotes (').
Each 'policy-directive' is semi-colon (;) delimited.
EXAMPLE:
Header set Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.<domain>.com
Fetch Directives
Fetch directives control the locations from which certain resource types may be loaded.
child-src: Defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
connect-src: Restricts the URLs which can be loaded using script interfaces.
default-src: Serves as a fallback for the other fetch directives.
font-src: Specifies valid sources for fonts loaded using @font-face.
frame-src: Specifies valid sources for nested browsing contexts loaded into elements such as <frame> and <iframe>.
img-src: Specifies valid sources of images and favicons.
manifest-src: Specifies valid sources of application manifest files.
media-src: Specifies valid sources for loading media using the <audio>, <video> and <track> elements.
script-src: Specifies valid sources for JavaScript and WebAssembly resources.
script-src-elem: Specifies valid sources for JavaScript <script> elements.
script-src-attr: Specifies valid sources for JavaScript inline event handlers.
style-src: Specifies valid sources for stylesheets.
style-src-elem: Specifies valid sources for stylesheets 'style' elements and <link> elements
style-src-attr: Specifies valid sources for inline styles applied to individual DOM elements.
worker-src: Specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
Fetch Directive Values:
Fetch Directives can be defined with the following values:
'nonce-<nonce_value>' - The <nonce-value> is a base64 encoded string. This is used to generate a random value for every response.
'<hash_algorithm>-<hash_value>' - algorithm followed by a base64 encoded string.
<host-source>: Defines the URL or IP address a valid host where a resource can be hosted from.
<scheme-source>: - Allowed scheme, such as "HTTP:"
'self' - Defines a resource that can only be loaded from the same origin as the document.
'unsafe-eval' - Removes the protection imparted by 'default-src or 'script-src' allowing dynamic evaluations of strings as java script
'wasm-unsafe-eval' - Removes the protection imparted by 'default-src or 'script-src' allowing compiled web assemblies.
'unsafe-inline' - Removes the protection imparted by 'default-src or 'script-src' allowing in-line java script
'unsafe-hashes' - Removes the protection imparted by 'default-src or 'script-src' allowing hash expressions
'inline-speculation-rules' - Removes the protection imparted by 'default-src or 'script-src' allowing the loading of inline script elements
'strict-dynamic' - Takes the trust imparted by 'nonce' or 'hash' to extend to scripts.
Document directives
Document directives govern the properties of a document or worker environment to which a policy applies.
base-uri: Restricts the URLs which can be used in a document's <base> element.
sandbox: Enables a sandbox for the requested resource similar to the <iframe> sandbox attribute.
Navigation directives
Navigation directives govern to which locations a user can navigate or submit a form, for example.
form-action: Restricts the URLs which can be used as the target of a form submissions from a given context.
frame-ancestors: Specifies valid parents that may embed a page using <frame>, <iframe>, <object>, or <embed>.
=======================
1) Logon to the Symantec Siteminder Access Gateway host
2) Browse to the 'httpd.conf' file
WINDOWS: <Install_Dir>\CA\secure-proxy\HTTPD\conf/HTTPD.conf
LINUX: <Install_Dir>/secure-proxy/HTTPD/conf/HTTPD.conf
3) Add the following directives:
Line ~102: LoadModule headers_module modules/mod_headers.so
line 528~529: <IfModule headers_module>
================================
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule headers_module modules/mod_headers.so
......
<IfModule headers_module>
#RequestHeader unset DNT env=bad_DNT
Header set Content-Security-Policy: <policy-directive>; <policy-directive>
</IfModule>
================================
EXAMPLE: Header set Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' *.<domain>.com