Setting HTTP Security Headers on Siteminder Web Agents
search cancel

Setting HTTP Security Headers on Siteminder Web Agents

book

Article ID: 275778

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Some security teams will mandate that you set HTTP Security Headers in Responses. 

Examples:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Strict-Transport-Security

This article will discuss setting them for web servers being protected by Siteminder Web Agents.

Environment

Release : Any

Component : Siteminder Web Agents

Cause

HTTP Security Headers are not enabled by default and are considered optional.  These are also not set by the Siteminder Web Agent.  Instead they are set by the Web Server itself (i.e. Apache HTTPServer, MS IIS, IBM HTTP Server, etc).

Resolution

Apache/IHS

1) Logon to the Apache/IHS web server host.

2) Open the 'httpd.conf' file

<Install_Dir>/secure-proxy/httpd/conf/httpd.conf

3) Make sure that the 'mod_headers' is being loaded

LoadModule headers_module modules/mod_headers.so

4) Set one or more of the following HTTP Headers in the following 'IfModule' directive:

<IfModule mod_headers.c>
     Header set X-Frame-Options "SAMEORIGIN"
     Header set X-XSS-Protection "1; mode=block"
     Header set X-Content-Type-Options "nosniff"
     Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
</IfModule>

NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

5) Restart the Apache/IHS server

Microsoft IIS Server

1) Logon to the IIS web server host.

2) Open the IIS Manager

3) Select the Web Site

4) Open "HTTP Response Headers"

5) Add one or more of the following Response Headers:

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubDomains

6) Stop and Start the IIS Server

These headers can also be configured directly in the 'web.config' file for the web site.

-------------------------------

<httpProtocol>
    <customHeaders>
        <add name="X-Frame-Options" value="SAMEORIGIN" />
        <add name="X-XSS-Protection" value="1; mode=block" />
        <add name="X-Content-Type-Options" value="nosniff" />
        <add name="Strict-Transport-Security" value="max-age=63072000; includeSubDomains" />
    </customHeaders>
</httpProtocol>

-------------------------------

NOTE: Your security team may dictate 'max-age' value for the 'Strict-Transport-Security' directive.

 

Additional Information

X-Frame-Options

X-XSS-Protection

X-Content-Type-Options

Strict-Transport-Security

Powered by Wolken Software