Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.4.3 CLI Reference
    7.4.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf http-header-security

    config security waf http-header-security

    HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    When the HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on user's website without code and configuration changes.

    Syntax

    config security waf http-header-security

    edit <hhs-profile-name>

    set request-status [ enable|disable ]

    set request-url [ URL-string]

    set mode [ add-always | add-replace | add-if-absent ]

    configure http-header-security-list

    edit <name>

    set name [ content-security-policy | x-content-type-options | x-frame-options | x-xssprotection

    | http-strict-transport-security ]

    set value [ nosniff | deny | sameorigin | sanitizing-mode | block-mode ]

    set policy <string>

    set report-only [ enable | disable ]

    set max-age <seconds>

    set include-subdomain [ enable | disable ]

    set preload [ enable | disable ]

    next

    end

    end

    config security waf profile

    edit <waf-profile-name>

    set http-header-profile <hhp-profile-name>

    end

    CLI Parameter

    Description

    request-status

    Enable/disable request URL match.

    • enable — Responses to the request will be processed with the security headers only if the URL of a request matches the specified request URL.

    • disable — All responses will be processed with the selected security header(s).

    request-url

    The request-url option is available if request-status is enabled.

    Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

    mode

    Specify header operation mode for the response from the back-end server(s).

    • add-always — always add the specified header(s).

    • add-replace —add the specified header(s) if not exist, replace the value of header(s) which exist already.

    • add-if-absent — only add the specified header(s) if not exist, do nothing if the same header(s) exist

    http-header-security-list

    name

    Set the HTTP security header name

    value

    The directive for the specified header in name.

    X content type options: nosniff

    X frame options: deny, sameorigin

    X XSS protection: sanitizing-mode, block-mode

    policy

    Only valid if Content-Security-Policy is selected. Enter the header value(s) that setting restrictions on resource types and sources. For example, default-src 'self';script-src 'self';object-src 'self'.

    report-only

    Enabling report-only switches to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP. However, “report-only” header only monitors the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

    max-age

    The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. A max-age value of zero (i.e., “max-age=0”) signals the UA cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host).

    include-subdomain

    Optional. If enabled, rule will apply to all of the site's subdomains as well.

    preload

    Google maintains an HSTS preload service: https://hstspreload.org/. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.) However, it is not part of the HSTS specification and should not be treated as official.

    Security Header

    Description

    content security policy

    A content security policy (CSP), is an additional layer of security delivered via an HTTP header. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved thus allowing the browser to load them. Without a CSP, the browser simply loads all files on a page without considering the source which could be harmful. This puts both the site and it’s visitors at risk of malicious activity.

    There are multiple directives available to website owners who want to implement a content security policy. A server may also define multiple directives within a CSP security header.

    For a detailed list of examples and references, visit content-security-policy.com. Additionally, you can use a tool called cspisawesome.com to easily create a CSP specific to your needs.

    FortiADC also provides a “report-only” flag to switch to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP, but the difference is that “report-only” header only monitor the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

    X content type options

    The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This helps reduce the danger of drive-by downloads and helps treat the content the proper way.

    There is only one directive that can be used, which is nosniff. An example of the header looks like:

    x-content-type-options: nosniff

    X frame options

    The x-frame-options header provides clickjacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.

    There are three directives available for this header: deny, sameorigin and allow-from. But “allow-from” is obsolete and no longer works in modern browers, FortiADC will notsupport it.

    On FortiADC, there are two directive options: deny and sameorigin.

    Once “deny” selected, the header looks like:

    x-frame-options: DENY

    Once “sameorigin” selected, the header looks like:

    x-frame-options: SAMEORIGIN

    X XSS protection

    The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

    Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

    On FortiADC, this function has two modes to be choose: sanitizing-mode and block-mode. Once sanitizing-mode selected (usually default in browsers), an example looks like:

    x-xss-protection: 1

    Once block-mode selected, an example looks like:

    x-xss-protection: 1; mode=block

    HTTP strict transport security

    • The HTTP strict-transport-security (HSTS) header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection, would helps to protect websites against protocol downgrade attacks and cookie hijacking.

      There are three directives for this header:

      max-age=<expire-time>
    • includeSubDomains
    • preload

      An example looks like:

      strict-transport-security: max-age=31536000; includeSubDomains; preload
    Previous
    Next

    config security waf http-header-security

    config security waf http-header-security

    HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    When the HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on user's website without code and configuration changes.

    Syntax

    config security waf http-header-security

    edit <hhs-profile-name>

    set request-status [ enable|disable ]

    set request-url [ URL-string]

    set mode [ add-always | add-replace | add-if-absent ]

    configure http-header-security-list

    edit <name>

    set name [ content-security-policy | x-content-type-options | x-frame-options | x-xssprotection

    | http-strict-transport-security ]

    set value [ nosniff | deny | sameorigin | sanitizing-mode | block-mode ]

    set policy <string>

    set report-only [ enable | disable ]

    set max-age <seconds>

    set include-subdomain [ enable | disable ]

    set preload [ enable | disable ]

    next

    end

    end

    config security waf profile

    edit <waf-profile-name>

    set http-header-profile <hhp-profile-name>

    end

    CLI Parameter

    Description

    request-status

    Enable/disable request URL match.

    • enable — Responses to the request will be processed with the security headers only if the URL of a request matches the specified request URL.

    • disable — All responses will be processed with the selected security header(s).

    request-url

    The request-url option is available if request-status is enabled.

    Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

    mode

    Specify header operation mode for the response from the back-end server(s).

    • add-always — always add the specified header(s).

    • add-replace —add the specified header(s) if not exist, replace the value of header(s) which exist already.

    • add-if-absent — only add the specified header(s) if not exist, do nothing if the same header(s) exist

    http-header-security-list

    name

    Set the HTTP security header name

    value

    The directive for the specified header in name.

    X content type options: nosniff

    X frame options: deny, sameorigin

    X XSS protection: sanitizing-mode, block-mode

    policy

    Only valid if Content-Security-Policy is selected. Enter the header value(s) that setting restrictions on resource types and sources. For example, default-src 'self';script-src 'self';object-src 'self'.

    report-only

    Enabling report-only switches to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP. However, “report-only” header only monitors the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

    max-age

    The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. A max-age value of zero (i.e., “max-age=0”) signals the UA cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host).

    include-subdomain

    Optional. If enabled, rule will apply to all of the site's subdomains as well.

    preload

    Google maintains an HSTS preload service: https://hstspreload.org/. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.) However, it is not part of the HSTS specification and should not be treated as official.

    Security Header

    Description

    content security policy

    A content security policy (CSP), is an additional layer of security delivered via an HTTP header. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved thus allowing the browser to load them. Without a CSP, the browser simply loads all files on a page without considering the source which could be harmful. This puts both the site and it’s visitors at risk of malicious activity.

    There are multiple directives available to website owners who want to implement a content security policy. A server may also define multiple directives within a CSP security header.

    For a detailed list of examples and references, visit content-security-policy.com. Additionally, you can use a tool called cspisawesome.com to easily create a CSP specific to your needs.

    FortiADC also provides a “report-only” flag to switch to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP, but the difference is that “report-only” header only monitor the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

    X content type options

    The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This helps reduce the danger of drive-by downloads and helps treat the content the proper way.

    There is only one directive that can be used, which is nosniff. An example of the header looks like:

    x-content-type-options: nosniff

    X frame options

    The x-frame-options header provides clickjacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.

    There are three directives available for this header: deny, sameorigin and allow-from. But “allow-from” is obsolete and no longer works in modern browers, FortiADC will notsupport it.

    On FortiADC, there are two directive options: deny and sameorigin.

    Once “deny” selected, the header looks like:

    x-frame-options: DENY

    Once “sameorigin” selected, the header looks like:

    x-frame-options: SAMEORIGIN

    X XSS protection

    The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

    Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

    On FortiADC, this function has two modes to be choose: sanitizing-mode and block-mode. Once sanitizing-mode selected (usually default in browsers), an example looks like:

    x-xss-protection: 1

    Once block-mode selected, an example looks like:

    x-xss-protection: 1; mode=block

    HTTP strict transport security

    • The HTTP strict-transport-security (HSTS) header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection, would helps to protect websites against protocol downgrade attacks and cookie hijacking.

      There are three directives for this header:

      max-age=<expire-time>
    • includeSubDomains
    • preload

      An example looks like:

      strict-transport-security: max-age=31536000; includeSubDomains; preload
    Previous
    Next