Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 25.4.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide
    25.4.0
    26.1.0
    25.4.0
    25.3.0
    25.2.0

    Request Limits

    Request Limits

    Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.

    Specifying allowed HTTP methods

    You can configure FortiAppSec Cloud to allow only specific HTTP request methods.

    Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.

    Configuring HTTP protocol constraints

    Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

    Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

    To configure an HTTP protocol constraint profile

    1. Go to ACCESS RULES > Request Limits.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Configure these settings.
      HTTP Header
      Header Length

      Specifies the maximum acceptable size in bytes of all HTTP header lines.

      Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

      Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).
      Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.
      Number of Cookies in Request

      Specifies the maximum acceptable number of cookies in an HTTP request.

      Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

      Number of Ranges in Range Header

      Specifies the maximum acceptable number of range: lines in each HTTP header.

      Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

      Redundant HTTP HeadersEnable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type (for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.

      Illegal Character in Header Name

      Enable to check whether the HTTP header name contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      Illegal Character in Header Value

      Enable to check whether the HTTP header value contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      HTTP Parameter
      Total URL Parameter Length

      Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter1=value1&parameter2=value2.

      The count does not include:

      • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
      • Parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

      Number of URL Parameter

      Specifies the maximum number of parameters in the URL.

      It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

      Maximum URL Parameter Name Length

      Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

      Maximum URL Parameter Value Length

      Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

      Duplicate Parameter Name

      Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

      • There are duplicate parameter names in the header.
      • There are duplicate parameter names in the body.
      • A parameter name in the header is also in the body.

      Illegal Character in Parameter Name

      Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Illegal Character in Parameter Value

      Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      HTTP Request
      HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.
      Number of Header Lines in Request

      Specifies the maximum acceptable number of lines in the HTTP header.

      Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

      Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might embed NULL characters in URL to evade detections.
      Illegal Character in URL

      Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

      Malformed URL

      Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

      HTTP/2 Max Requests

      Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

      Missing Host

      Enable to check if the Host header is missing. For HTTP/2, Missing Host violation appears only when both the Authority and Host headers do not exist

      HTTP/2RST

      HTTP/2 RST Stream

      Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      HTTP/2 RST Stream Frequency

      Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

      Content Length

      Content Length

      Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

      Attack log messages contain Content Length Exceeded when this feature detects a content length buffer overflow attempt.

      Present with Transfer Encoding

      Enable to check if content-length and transfer-encoding coexist.

      Inconsistent with Body Length

      Enable to check whether the response has redundant body than the content-length specified.

      Others

      Range Overlapping

      Enable to detect RangeAmp Overlapping Byte Ranges (OBR) attacks. For more information on this attack, refer to https://www.linuxadictos.com/en/rangeamp-a-series-of-cdn-attacks-that-manipulate-the-range-http-header.html

      Multipart/ form-data Bad Request

      Enable to detect whether the multipart request chunk contains the strings "Content-Disposition" and "Name". If it does not, the system will consider it a violation.

    3. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.

      Alert

      Accept the request and generate a log message.

      Alert & Deny

      Block the request (or reset the connection) and generate a log message.

      Deny(no log)

      Block the request (or reset the connection).

      Period Block

      Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.

    4. Click SAVE.
    Previous
    Next

    Request Limits

    Request Limits

    Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.

    Specifying allowed HTTP methods

    You can configure FortiAppSec Cloud to allow only specific HTTP request methods.

    Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.

    Configuring HTTP protocol constraints

    Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

    Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

    To configure an HTTP protocol constraint profile

    1. Go to ACCESS RULES > Request Limits.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Configure these settings.
      HTTP Header
      Header Length

      Specifies the maximum acceptable size in bytes of all HTTP header lines.

      Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

      Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).
      Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.
      Number of Cookies in Request

      Specifies the maximum acceptable number of cookies in an HTTP request.

      Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

      Number of Ranges in Range Header

      Specifies the maximum acceptable number of range: lines in each HTTP header.

      Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

      Redundant HTTP HeadersEnable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type (for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.

      Illegal Character in Header Name

      Enable to check whether the HTTP header name contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      Illegal Character in Header Value

      Enable to check whether the HTTP header value contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      HTTP Parameter
      Total URL Parameter Length

      Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter1=value1&parameter2=value2.

      The count does not include:

      • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
      • Parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

      Number of URL Parameter

      Specifies the maximum number of parameters in the URL.

      It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

      Maximum URL Parameter Name Length

      Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

      Maximum URL Parameter Value Length

      Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

      Duplicate Parameter Name

      Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

      • There are duplicate parameter names in the header.
      • There are duplicate parameter names in the body.
      • A parameter name in the header is also in the body.

      Illegal Character in Parameter Name

      Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Illegal Character in Parameter Value

      Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      HTTP Request
      HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.
      Number of Header Lines in Request

      Specifies the maximum acceptable number of lines in the HTTP header.

      Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

      Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might embed NULL characters in URL to evade detections.
      Illegal Character in URL

      Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

      Malformed URL

      Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

      HTTP/2 Max Requests

      Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

      Missing Host

      Enable to check if the Host header is missing. For HTTP/2, Missing Host violation appears only when both the Authority and Host headers do not exist

      HTTP/2RST

      HTTP/2 RST Stream

      Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      HTTP/2 RST Stream Frequency

      Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

      Content Length

      Content Length

      Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

      Attack log messages contain Content Length Exceeded when this feature detects a content length buffer overflow attempt.

      Present with Transfer Encoding

      Enable to check if content-length and transfer-encoding coexist.

      Inconsistent with Body Length

      Enable to check whether the response has redundant body than the content-length specified.

      Others

      Range Overlapping

      Enable to detect RangeAmp Overlapping Byte Ranges (OBR) attacks. For more information on this attack, refer to https://www.linuxadictos.com/en/rangeamp-a-series-of-cdn-attacks-that-manipulate-the-range-http-header.html

      Multipart/ form-data Bad Request

      Enable to detect whether the multipart request chunk contains the strings "Content-Disposition" and "Name". If it does not, the system will consider it a violation.

    3. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.

      Alert

      Accept the request and generate a log message.

      Alert & Deny

      Block the request (or reset the connection) and generate a log message.

      Deny(no log)

      Block the request (or reset the connection).

      Period Block

      Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.

    4. Click SAVE.
    Previous
    Next