Response Header: "Content-Security-Policy" on Siteminder Access Gateway
search cancel

Response Header: "Content-Security-Policy" on Siteminder Access Gateway

book

Article ID: 268236

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

A security audit has found the vulnerabilities in the Symantec Siteminder Access Gateway servers.  

-> Missing Response Header: "Content-Security-Policy"

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway Server

VERSION : 12.8.x

OPERATING SYSTEM: Any

Cause

Symantec Siteminder bundles Apache HTTP Server with Access Gateway.  The Response Headers are not set in the 'httpd.conf' nor is the 'mod_headers' module loaded by default.

Resolution

The "Content-Security-Policy" Response Header can be set in the 'httpd.conf' file for Apache.

SYNTAX:  Header set Content-Security-Policy <Directive>

=======================
[DIRECTIVES]

default-src:Default policy, used in any case except if overridden by a more precise directive.

script-src:      Policy dedicated to scripts

object-src:     Policy dedicated to plugins (object, embed, or applet)

style-src:       Policy dedicated to styles (CSS)

img-src:         Policy dedicated to images (img, but also url() or image() from CSS, or link element related to an image type (ex: rel=”icon”)

media-src:     Policy dedicated to media (video, audio, source, or track)

frame-src:      Policy dedicated to frames (iframe or frame)

font-src:         Policy dedicated to fonts

connect-src:  Policy dedicated to connections from a XMLHttpRequest object or a WebSocket

report-uri:      Allows to define an URI to where CSP violation reports will be sent. If a piece of content is blocked by a browser, the browser will send a report with detailed information to this URI. Be careful: if your traffic is high, this could mean a lot of reports!
=======================

1) Logon to the Symantec Siteminder Access Gateway host

2) Browse to the 'httpd.conf' file

WINDOWS: <Install_Dir>\CA\secure-proxy\HTTPD\conf/HTTPD.conf

LINUX: <Install_Dir>/secure-proxy/HTTPD/conf/HTTPD.conf

3) Add the following directives:

Line ~102: LoadModule headers_module modules/mod_headers.so

line 528~529: <IfModule headers_module>

================================
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule headers_module modules/mod_headers.so
......

<IfModule headers_module>
#RequestHeader unset DNT env=bad_DNT
Header set Content-Security-Policy "default-src https:"
</IfModule>
================================

 

Additional Information

"Content-Security-Policy" Header