security audit has found the vulnerabilities in the Symantec Siteminder Access Gateway servers.
-> Missing Response Header: "Content-Security-Policy"
PRODUCT: Symantec Siteminder
COMPONENT: Access Gateway Server
VERSION : 12.8.x
OPERATING SYSTEM: Any
Symantec Siteminder bundles Apache HTTP Server with Access Gateway. The Response Headers are not set in the 'httpd.conf' nor is the 'mod_headers' module loaded by default.
The "Content-Security-Policy" Response Header can be set in the 'httpd.conf' file for Apache.
SYNTAX: Header set Content-Security-Policy <Directive>
=======================
[DIRECTIVES]
default-src:Default policy, used in any case except if overridden by a more precise directive.
script-src: Policy dedicated to scripts
object-src: Policy dedicated to plugins (object, embed, or applet)
style-src: Policy dedicated to styles (CSS)
img-src: Policy dedicated to images (img, but also url() or image() from CSS, or link element related to an image type (ex: rel=”icon”)
media-src: Policy dedicated to media (video, audio, source, or track)
frame-src: Policy dedicated to frames (iframe or frame)
font-src: Policy dedicated to fonts
connect-src: Policy dedicated to connections from a XMLHttpRequest object or a WebSocket
report-uri: Allows to define an URI to where CSP violation reports will be sent. If a piece of content is blocked by a browser, the browser will send a report with detailed information to this URI. Be careful: if your traffic is high, this could mean a lot of reports!
=======================
1) Logon to the Symantec Siteminder Access Gateway host
2) Browse to the 'httpd.conf' file
WINDOWS: <Install_Dir>\CA\secure-proxy\HTTPD\conf/HTTPD.conf
LINUX: <Install_Dir>/secure-proxy/HTTPD/conf/HTTPD.conf
3) Add the following directives:
Line ~102: LoadModule headers_module modules/mod_headers.so
line 528~529: <IfModule headers_module>
================================
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule headers_module modules/mod_headers.so
......
<IfModule headers_module>
#RequestHeader unset DNT env=bad_DNT
Header set Content-Security-Policy "default-src https:"
</IfModule>
================================