Customers have reported that Single Sign On (SSO) configurations are failing security scans that require one or more of the following headers to be set on publicly available SSO pages:

  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options
  • HSTS Strict-Transport-Security

While it was possible in previous releases (before version 7.2.40) to set these headers manually on the Virtual Service, they were not being set on associated SSO login pages. In firmware version 7.2.40, the LoadMaster automatically sets these headers on all SSO pages and also on all WUI pages served by LoadMaster. As of version 7.2.41, all headers except Strict-Transport-Security (STS) are sent. STS headers are only sent if they are enabled in the Virtual Service (Strict Transport Security Header drop-down list in the SSL Properties section).