I am trying to enable HTTP Strict Transport Security on a federation proxy server. I have enabled the headers module to the Apache HTTP Server and added set the response headers in the <VirtualHost> block in proxy-engine/conf/server.conf. The response headers are not being populated though. Any ideas? Should I be setting the headers through Tomcat instead?
The response headers being referred, is it part of UserAgent from server.conf?
Or this is regular SSO web agent HTTP response?
If you have enabled the headers module to the Apache HTTP Server, have you verified the module is actively loaded?
./apachectl -t -D DUMP_MODULES
SPS Default output (no ):
Loaded Modules: core_module (static) so_module (static) http_module (static) mpm_worker_module (static) env_module (shared) log_config_module (shared) setenvif_module (shared) mime_module (shared) negotiation_module (shared) dir_module (shared) jk_module (shared) cgi_module (shared) alias_module (shared) authz_host_module (shared) authn_core_module (shared) authz_core_module (shared) unixd_module (shared) slotmem_shm_module (shared)
And IfModule section is located under apache, not in Tomcat server.conf.
#<IfModule headers_module>#RequestHeader unset DNT env=bad_DNT#</IfModule>
I have not come across any SPS run book or tech note regarding this integration between HTTP Strict Transport Security and SPS, if it is not documented, there is no guarantee it will work.
Additional related info: CA SSO : SPS Hardening Security : Supress Server Headers
Apart from loading the module, please add this into SPS_HOME/extra/httpd-ssl.conf file in the <VirtualHost _default_:443> block:
Header always set Strict-Transport-Security "max-age=63072000"
Then restart the SiteMinder Secure Proxy and SiteMinder Proxy Engine services.
I like what is suggested by Alex, Test it and suggest if it works.
Additionally we need to take care of the following aspects.
This worked. Thank you!
More than a few times I have found the Apache httpd at the front of sps to be pretty useful for doing exactly this sort of tinkering with the headers - Cheers Mark