Symantec Access Management

Expand all | Collapse all

X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

Jump to Best Answer
  • 1.  X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

    Posted 26 days ago
    In our environment, we are using CA SPS  and SiteMinder. Our Vulnerability Management team has identified that the X-FRAME-OPTIONS header is missing from SiteMinder protected resources and also from .fcc login page.
    After referring to below 2 links,
    I added X-FRAME-OPTIONS ACO parameter with value specified as "DENY" and I am able to see the header now being shown for protected resources.
    However, the header is still missing from the .fcc login page itself.
    Are any additional configurations required for the header to be seen on the login page? Please advise.

    Issue : Security Headers missing from login .fcc page

    Environment Details : 
    SiteMinder WebAgent - 12.52
    SiteMinder Policy Server - 12.8

    Fiddler Capture : 
    Security header is visible on Protected resource after adding ACO parameter
    X-FRAME-OPTIONS header missing on login page


    ------------------------------
    Samarth Upasani
    ------------------------------


  • 2.  RE: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

    Posted 25 days ago
    Is it possible that the login page is cached ? (in case you have a network device between browser and Webserver)
    Also I cannot see the screen shots properly , do you have the login page served from the same Webserver / agent ?

    Have you tried setting the Header on the Webserver itself ?

    Thanks
    Joe


  • 3.  RE: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page

    Posted 25 days ago
      |   view attached
    Hi Josheph,

    I have uploaded a word file which has those screenshots now.
    The login page is served from the same webserver. Also, from webagent trace logs (logs below), it's seen that the login page is served from the disk which means the network components are not serving the cached login page.

    [11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' not found in cache.]
    [11/12/2019][16:23:12][1084][3904][][CSmFormTemplateCache::GetForm][Serving form template 'E:\CA\secure-proxy\Tomcat\webapps\..\..\proxy-engine\examples\siteminderagent\MVDLSDEV\PDLoginBP.fcc' from disk.]

    Above logs are after flushing cache.

    How can I add header on WebServer level? We are using CA Access Gateway which is Apache. Should this be done in httpd.conf file?

    Attachment(s)

    docx
    X-FRAMES-OPTIONS.docx   361K 1 version


  • 4.  RE: X-FRAME-OPTIONS vulnerability - Headers missing from .fcc login page
    Best Answer

    Posted 25 days ago
    ok Thank you .
    yes you can set it to be returned from Apache on all requests as such

    Set the following in httpd.conf and restart Access Gateway.

    Header always set X-FRAME-OPTIONS: "DENY"

    That should take care of it , let me know what you get
    Joe