Some security teams will mandate that you set HTTP Security Headers in Responses.
Examples:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security
This article will discuss setting them for web servers being protected by Siteminder Web Agents.
Release : Any
Component : Siteminder Web Agents
HTTP Security Headers are not enabled by default and are considered optional. These are also not set by the Siteminder Web Agent. Instead they are set by the Web Server itself (i.e. Apache HTTPServer, MS IIS, IBM HTTP Server, etc).
Apache/IHS
1) Logon to the Apache/IHS web server host.
2) Open the 'httpd.conf' file
<Install_Dir>/secure-proxy/httpd/conf/httpd.conf
3) Make sure that the 'mod_headers' is being loaded
LoadModule headers_module modules/mod_headers.so
4) Set one or more of the following HTTP Headers in the following 'IfModule' directive:
<IfModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>
NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.
5) Restart the Apache/IHS server
Microsoft IIS Server
1) Logon to the IIS web server host.
2) Open the IIS Manager
3) Select the Web Site
4) Open "HTTP Response Headers"
5) Add one or more of the following Response Headers:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubDomains
6) Stop and Start the IIS Server
These headers can also be configured directly in the 'web.config' file for the web site.
-------------------------------
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains" />
</customHeaders>
</httpProtocol>
-------------------------------
NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.