Customer noticed that customer headers were missing only when they reached the login.fcc

Document ID : KB000111098
Last Modified Date : 14/08/2018
Show Technical Document Details
Question:
In their Apache httpd.conf they had used the following to set the headers:

Header set X-Content-Type-Options: nosniff 
Header set X-XSS-Protection 1; mode=block

These headers were missing when the login.fcc was reached and customer wanted to know why as they were visible before and after CA SSO Authentication.

On the initial GET 200 to the login.fcc, the headers are seen:

HTTP/1.1 200 OK 
Date: Tue, 17 Jul 2018 23:23:49 GMT 
Server: Apache/2.2.15 (Red Hat) 
Set-Cookie: SMLOCALE=en-US; path=/ 
Cache-Control: no-store 
Content-Length: 3191 
X-XSS-Protection: 1; mode=block 
X-Content-Type-Options: nosniff 
Connection: close 
Content-Type: text/html;charset=UTF-8 


But on the POST 302 they are missing. 

HTTP/1.1 302 Found 
Date: Tue, 17 Jul 2018 23:23:57 GMT 
Server: Apache/2.2.15 (Red Hat) 
Set-Cookie: SMLOCALE=en-US; path=/ 
Set-Cookie: SMTRYNO=; expires=Thu, 18 Jan 2018 23:23:57 GMT; path=/; domain=.ca.com 
Set-Cookie: SMSESSION=RVdMwmtF0l1QKx1<<<edit>>>IfJxrZ/F3Zbj0emgC; path=/; domain=.ca.com 
Cache-Control: no-store 
Location: https://urldefense.proofpoint.com/v2/url?u=http-3A__iamr6u5b.ca.com_apachepage&d=DwICAw&c=7gn0PlAmraV3zr-k385KhKAz9NTx0dwockj5vIsr5Sw&r=PwNG0nY5WytEhT8KuAuER-2XhOPaNoobWgLdweIeYFM&m=3Fy2FxN4DfN8z6rM3tSpVgvarHU0M7_mzS679FUa8P8&s=-pBqafjUqg-7r3OXlU9iOFT5K49_zSnK9oaAEJzGWEI&e= 
Content-Length: 299 
Connection: close 
Content-Type: text/html; charset=iso-8859-1 

Then present again upon arrival at the target resource via GET 200: 

HTTP/1.1 200 OK 
Date: Tue, 17 Jul 2018 23:23:57 GMT 
Server: Apache/2.2.15 (Red Hat) 
Last-Modified: Tue, 14 Jun 2016 20:06:41 GMT 
ETag: "7fd38-27-535428b1e23d7" 
Accept-Ranges: bytes 
Content-Length: 39 
X-XSS-Protection: 1; mode=block 
X-Content-Type-Options: nosniff 
Connection: close 
Content-Type: text/html; charset=UTF-8 
Environment:
CA SSO Web Agent - Any
Apache Webservers
Answer:
We need to add the word "always" to the header set in the httpd.conf.

Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff

The "always" means the header will be set for more than just 200 responses.