Setting HTTP Security Headers on Siteminder Agent for Apache
Article ID: 269357
Updated On:
Products
Issue/Introduction
Security teams may mandate that you set HTTP Security Headers in Responses. These instructions also apply to setting them in stand-alone web server instances such as Apache and IBM HTTP Server (IHS) as well.
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Web Agent for Apache
VERSION: Any
WEB SERVERS:
ASF Apace: 2.2.x; 2.4.x
HP Apache: 2.0.5x; 2.2.x
IHS: 7.0; 8.0.x; 8.5.x; 8.5.5.x; 9.0.x
Cause
HTTP Security Headers are not a function of the Symantec Siteminder Web Agent. Rather they are enabled and configured at the Web Server. These are not set by default by any web servers.
Resolution
1) Logon to the Access Gateway, Apache or IHS host
2) Open the 'httpd.conf' file
3) Make sure that the 'mod_headers' is being loaded
LoadModule headers_module modules/mod_headers.so
4) Set the following HTTP Headers in the following 'IfModule' directive:
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.
5) Restart the Access Gateway server
NOTE: If restarting Apache or IHS, make sure to use 'apachetctl' NOT 'systemctl'.
Additional Information
Feedback
