Web Agents

New in Web Agent 2025.x

Web Agent 2025.9

Web Agent 2025.9 is a minor release that introduces new features, functional enhancements, and fixes.

Apache mod_headers

We’ve made changes to the Apache Web Agent to make it compatible with mod_headers. This allows you to set security headers, including CORS responses, in the Apache configuration using mod_headers.

Learn more in Apache Module mod_headers in the Apache documentation.

Web Agent 2025.6

Web Agent 2025.6 is a minor release that introduces new features, functional enhancements, and fixes.

FIPS 140 support

We’ve made changes to Web Agent to provide FIPS 140 compliance.

  • Unix-based agents support the OpenSSL 3.1.2 FIPS module, which is a FIPS 140-3 compliant security provider.

  • Windows-based agents support the use of FIPS compliant algorithms to make them FIPS 140-2 compliant.

Learn more in FIPS 140 compliance.

Public client certificate friendly name

A new Public Client Certificate Friendly Name property lets you set the friendly name used to look up the client certificate in the Windows certificate store for agents using Schannel.

Use this new property instead of the Public Client Certificate File Name property to set the certificate friendly name.

The Public Client Certificate File Name property should now be used only for the name of the file that contains the client certificate chain.

TLSv1.3 security protocol

The TLS 1.3 security protocol can now be disabled for Windows Secure Channel API (Schannel) if required by adding -TLSv1.3 to the Security Protocol List.

Policy decision monitoring metric

We’ve added a new authenticated_return_total metric to the policy decision metrics returned by the Prometheus endpoint. This metric provides a count of the requests returned after authentication.

It’s useful to monitor this metric with the not_authenticated_total metric as a possible indicator of a Denial of Service (DoS) attack.

Web Agent 2025.3.x

Web Agent 2025.3.1

Web Agent 2025.3.1 is a maintenance release. It contains no new features.

Web Agent 2025.3

Web Agent 2025.3 is a major release that introduces new features, functional enhancements, and fixes.

Content Security Policy header - frame-ancestors

We’ve made changes to the Web Agent to provide support for the Content Security Policy (CSP) frame-ancestors directive, which lets you specify which parent sources can embed a page in an iframe (and other HTML elements).

The agent sets this directive on direct responses, such as authentication and PDP, so this only affects pages related to these responses.

By default, the Web Agent sets this directive to self, which only allows the site hosting the agent to embed pages in iframes.

The following new bootstrap properties are available:

  • The Frame Ancestors None property controls whether pages can be embedded in iframes or not.

  • The Frame Ancestors Sources property controls which parent sources can embed pages in a <frame>, <iframe>, <embed> or <object> element if embedding is allowed.

Learn more in iframes.

Agent authentication to Advanced Identity Cloud and AM

We’ve made changes to how Web Agent authenticates to Advanced Identity Cloud and AM.

The default fallback mode setting (0) for the AM_AGENT_AUTH_MODE installation environment variable and the Agent Authentication Mode property has been removed. The default setting is now 1 meaning the agent always authenticates using the Agent journey.

If the Agent journey doesn’t exist, you should create it. Learn more in Authenticate agents to the identity provider.