Hi Josheph,
I have uploaded a word file which has those screenshots now.
The login page is served from the same webserver. Also, from webagent trace logs (logs below), it's seen that the login page is served from the disk which means the network components are not serving the cached login page.
[11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' not found in cache.]
[11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Serving form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' from disk.]
Above logs are after flushing cache.
How can I add header on WebServer level? We are using CA Access Gateway which is Apache. Should this be done in httpd.conf file?
Original Message:
Sent: 11-13-2019 12:30 PM
From: Joseph Rahme
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page
Is it possible that the login page is cached ? (in case you have a network device between browser and Webserver)
Also I cannot see the screen shots properly , do you have the login page served from the same Webserver / agent ?
Have you tried setting the Header on the Webserver itself ?
Thanks
Joe
Original Message:
Sent: 11-13-2019 10:57 AM
From: Samarth Upasani
Subject: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page
In our environment, we are using CA SPS and SiteMinder. Our Vulnerability Management team has identified that the X-FRAME-OPTIONS header is missing from SiteMinder protected resources and also from .fcc login page.
After referring to below 2 links,
I added X-FRAME-OPTIONS ACO parameter with value specified as "DENY" and I am able to see the header now being shown for protected resources.
However, the header is still missing from the .fcc login page itself.
Are any additional configurations required for the header to be seen on the login page? Please advise.
Issue : Security Headers missing from login .fcc page
Environment Details :
SiteMinder WebAgent - 12.52
SiteMinder Policy Server - 12.8
Fiddler Capture :
------------------------------
Samarth Upasani
------------------------------