config security waf http-header-security
HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.
When the HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on user's website without code and configuration changes.
Syntax
config security waf http-header-security
edit <hhs-profile-name>
set request-status [ enable|disable ]
set request-url [ URL-string]
set mode [ add-always | add-replace | add-if-absent ]
configure http-header-security-list
edit <name>
set name [ content-security-policy | x-content-type-options | x-frame-options | x-xssprotection
| http-strict-transport-security ]
set value [ nosniff | deny | sameorigin | sanitizing-mode | block-mode ]
set policy <string>
set report-only [ enable | disable ]
set max-age <seconds>
set include-subdomain [ enable | disable ]
set preload [ enable | disable ]
next
end
end
config security waf profile
edit <waf-profile-name>
set http-header-profile <hhp-profile-name>
end
CLI Parameter |
Description |
---|---|
request-status |
Enable/ddisable request URL match. enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified request URL. disable: All responses will be processed with the selected security header(s). |
request-url |
Specify the URL used to match requests so that security headers can be applied to responses of the matched requests. |
mode |
Specify header operation mode for the response from the back-end server(s). add-always: always add the specified header(s). add-replace: add the specified header(s) if not exist, replace the value of header(s) which exist already. add-if-absent: only add the specified header(s) if not exist, do nothing if the same header(s) exist |
http-header-security-list |
|
name |
Set the HTTP security header name |
value |
The directive for the specified header in name. X content type options: nosniff X frame options: deny, sameorigin X XSS protection: sanitizing-mode, block-mode |
policy |
Only valid if Content-Security-Policy is selected. Enter the header value(s) that setting restrictions on resource types and sources. For example, default-src 'self';script-src 'self';object-src 'self'. |
report-only |
Enabling report-only switches to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP. However, “report-only” header only monitors the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected. |
max-age |
The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. A max-age value of zero (i.e., “max-age=0”) signals the UA cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host). |
include-subdomain |
Optional. If enabled, rule will apply to all of the site's subdomains as well. |
preload |
Google maintains an HSTS preload service: https://hstspreload.org/. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.) However, it is not part of the HSTS specification and should not be treated as official. |
Security Header |
Description |
---|---|
content security policy |
A content security policy (CSP), is an additional layer of security delivered via an HTTP header. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved thus allowing the browser to load them. Without a CSP, the browser simply loads all files on a page without considering the source which could be harmful. This puts both the site and it’s visitors at risk of malicious activity. There are multiple directives available to website owners who want to implement a content security policy. A server may also define multiple directives within a CSP security header. For a detailed list of examples and references, visit content-security-policy.com. Additionally, you can use a tool called cspisawesome.com to easily create a CSP specific to your needs. FortiADC also provides a “report-only” flag to switch to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP, but the difference is that “report-only” header only monitor the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected. |
X content type options |
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This helps reduce the danger of drive-by downloads and helps treat the content the proper way. There is only one directive that can be used, which is nosniff. An example of the header looks like:
|
X frame options |
The x-frame-options header provides clickjacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+. There are three directives available for this header: deny, sameorigin and allow-from. But “allow-from” is obsolete and no longer works in modern browers, FortiADC will notsupport it. On FortiADC, there are two directive options: deny and sameorigin. Once “deny” selected, the header looks like:
Once “sameorigin” selected, the header looks like:
|
X XSS protection |
The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP. On FortiADC, this function has two modes to be choose: sanitizing-mode and block-mode. Once sanitizing-mode selected (usually default in browsers), an example looks like:
Once block-mode selected, an example looks like:
|
HTTP strict transport security |
|