Observed below error after upgrading CA Siteminder Policy Server and CA Access Gateway (SPS) to " 12.9 " release.

- Error message:

Invalid header; error at offset 26: <Strict-Transport-Security : max-age=31536000; includeSubDomains>

------ From CA Access Gateway (SPS) Agent Trace log:

[06/02/2025][11:33:19][11:33:19.238][16296][14272][23b16dd8-81db8911-cff848b6-ad0d7a23-88f05d5f-c93][addRequestHeaders][Need to preserve Proxy HOST Header. Sending Proxy Host to the backend web server]
[06/02/2025][11:33:19][11:33:19.238][16296][14272][23b16dd8-81db8911-cff848b6-ad0d7a23-88f05d5f-c93][execute][Got protocol version HTTP/1.1]
[06/02/2025][11:33:19][11:33:19.238][16296][14272][23b16dd8-81db8911-cff848b6-ad0d7a23-88f05d5f-c93][execute][Sending request to backend = example.com = https://www.<host name>.<domain>
[06/02/2025][11:33:19][11:33:19.238][16296][14272][23b16dd8-81db8911-cff848b6-ad0d7a23-88f05d5f-c93][execute][Invalid header; error at offset 26: <Strict-Transport-Security : max-age=31536000; includeSubDomains>]
[06/02/2025][11:33:19][11:33:19.254][16296][14272][23b16dd8-81db8911-cff848b6-ad0d7a23-88f05d5f-c93][Noodle::doGet][org.apache.hc.client5.http.ClientProtocolException: Invalid header; error at offset 26: <Strict-Transport-Security : max-age=31536000; includeSubDomains>    at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:177)]

Component: CA Access Gateway (SMSPS)
Version: 12.9 release

------ Cause of the Issue:

The backend application whoever sends the below header is Invalid and it should not contain any " white space ".

- Expected: ------ <Strict-Transport-Security: max-age=31536000; includeSubDomains>]

- Non-working: ------ <Strict-Transport-Security : max-age=31536000; includeSubDomains>]

- If we observe the above non-working header carefully, there is a white space after the " <Strict-Transport-Security " entry.

------ Additional Information:

- What is the error at offset "26" number?

If you observe the error message carefully, the " white space " is at the 26th character in the Header so that is the reason why we see that number and the number varies based on the location of the " white space ".

- Snippet for reference:

------ Reason why it is happening with 12.9 release CA Access Gateway:

In the 12.9 release CA Access Gateway, we have upgraded the " httpclient " third party software and that is the reason why it is strictly checking headers and Its values.

Below are the third party components which are upgraded in the 12.9 release (Just for reference only).

httpcore is 5.3.1   i.e. httpcore5-5.3.1.jar

httpclient is 5.4.1 i.e  httpclient5-5.4.1.jar

- Document for reference:

https://downloads.apache.org/httpcomponents/httpcore/RELEASE_NOTES-5.3.x.txt

------ For more details regarding the headers containing " white space " please check the document below.

RFC 7230: Reject headers containing whitespaces between the header field name and colon in strict mode.

- Document for reference:

https://datatracker.ietf.org/doc/html/rfc7230

Please make sure there will be no " white space " in the header and If you find any white space, please work with your application team and remove the " white space " in the HTTP Header for the required web application.