Lack of HTTP Security Headers

kchengalvarayan · January 6, 2025, 6:53am

Which IIQ version are you inquiring about?

8.3p1

Please share any images or screenshots, if relevant.

Several HTTP headers are used to define behaviors and limitations that affect the
clients that connect to the server, and each of them is focused on a different security
feature. The recommended headers to be implemented are:
• “Content-Security-Policy: default-src ‘self’”
• “X-Frame-Options: DENY”
• “X-Content-Type-Options: nosniff”
• “Strict-Transport-Security”
During the current assessment, the vulnerability team has identified that there are following
headers are not present inside the server’s responses:
• “Content-Security-Policy: default-src ‘self’”
• “X-Content-Type-Options: nosniff”
• “Strict-Transport-Security”

Could anyone have any idea to add this into our SailPoint header. so we can avoid this vulnerability.

Thanks,

Felix_Witt · January 6, 2025, 8:50am

Hi,

that should be possible as configuration on the webserver running IIQ. So most probably tomcat. It should be possible to add them via a filter in the web.xml

Regards Felix

kchengalvarayan · January 7, 2025, 7:55am

Hi @Felix_Witt ,

we tried adding this but unfortunately it is not working, if you have exact command or exact code please paste here so i can do the same in my lower environment.

Thanks

Felix_Witt · January 13, 2025, 1:25pm

Sorry but we haven’t made that change yet. How does your web.xml look on the application server?

system · March 14, 2025, 1:26pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.