Configuring a Cookie Security policy
A cookie security policy allows you to configure FortiADC features that prevent cookie-based attacks and apply them in a protection profile. For example, a policy can enable cookie poisoning detection, encrypt the cookies issued by a back-end server, and add security attributes to cookies.
To configure an Cookie Security policy:
- Go to Web Application Firewall>Sensitive Data Protection.
- Click the Cookie Security tab.
- Click Create New to display the configuration editor.
-
Complete the configuration as described in Cookie Security configuration.
If you want to drop a large number of packets when traffic match the rules, you should set Action to “block” instead of “deny."
- Save the configuration.
Settings | Guidelines | ||
---|---|---|---|
Name |
Enter a unique Cookie Security policy name. Valid characters are Note: Once saved, the name of an Cookie Security policy cannot be changed. |
||
Security Mode |
No—Does not apply cookie tampering protection or encrypted cookie. Signed—Prevents tampering by tracking the cookie by adding a signature. Encrypted—FortiADC encrypts set-cookie values which have been sent from back-end web server to clients. Clients can only see the encrypted cookies. FortiADC also decrypts cookies which have been submitted by clients before sending them to the back-end server to determine if a cookie attack has been placed. |
||
Samesite |
Add SameSite attribute to prevent the browser from sending cookies along with cross-site requests, to mitigate the risk of cross-origin information leakage. It provides Strict, Lax, and None values for this attribute:
The default value is Nothing. |
||
Secure |
Enable to add the secure flag to cookies. The secure attribute limits the scope of the cookie to "secure" channels (where "secure" is defined by the user agent). When a cookie has the Secure attribute, the user agent will include the cookie in an HTTP request only if the request is transmitted over a secure channel (typically HTTP over Transport Layer Security (TLS). Note: cookie attribute. |
||
Severity |
When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Cookie Security:
The default value is Low. |
||
Remove Cookie |
Enable so FortiADC will accept the request, but will also remove the cookie before sending it to backend web server. Note: Only applies when Security Mode is set to encrypted or signed. |
||
HTTP Only |
Enable to add "HTTPOnly" flag to cookies. The HttpOnly attribute limits the scope of the cookie to HTTP requests. In particular, the attribute instructs the user agent to omit the cookie when providing access to cookies via "non-HTTP" APIs (such as a web browser API that exposes cookies to scripts). Note: cookie attribute. |
||
Encrypted Cookie Type |
All—will encrypt all cookies. List—will encrypt the cookie that matches with the cookie-list. Note: Only applies when Security Mode is set to encrypted. |
||
Cookie Replay |
Disable or enable to allow FortiADC to use the IP address of a request to determine the owner of the cookie. If Cookie Replay is enabled, the client IP address will be appended to the set-cookie value before encryption. Once the FortiADC receives the cookie, the cookie will be decrypted and FortiADC will check if the IP matches with the client. Since the public IP of a client is not static in many environments, we recommend that you do not enable cookie-replay. Note: Only applies when Security Mode is set to encrypted. Optional. |
||
Allow Suspicious Cookies |
Never—Never allow suspicious cookies. Always—Always allow suspicious cookies. Custom—Don't Block suspicious cookies until the date specified by "Dont_block_until". Select whether or not FortiADC will allow requests that contain unrecognizable cookies or if there are missing cookies. When cookie-replay is enabled, the suspicious cookie is a missing cookie that tracks the client IP address.
Note: Only applies when Security Mode is set to encrypted. |
||
Don't Block Until |
Specify the date to begin blocking suspicious cookies. Applicable only when Allow Suspicious Cookies is set to custom. Note: Only applies when Security Mode is set to encrypted. |
||
Max Age |
Note: cookie attribute. Default value is 0 (do not add max age ), range 0- 2147483647. Add the maximum age (in minutes) if the response from the backend server does not already have a "Max-Age" attribute, or does not have an "Expires" attribute. |
||
Exception |
|||
Action |
Select the action profile that you want to apply. See Configuring WAF Action objects. The default value is Alert. |
||
Cookie List |
The list of cookies to be encrypted. Note: Only when Security Mode is set to encrypted, and when encrpyted_cookie_type is set to "list." |