Request Limits
Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.
Specifying allowed HTTP methods
You can configure FortiWeb Cloud to allow only specific HTTP request methods.
Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.
Configuring HTTP protocol constraints
Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.
Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.
To configure an HTTP protocol constraint profile
- Go to ACCESS RULES > Request Limits.
You must have already enabled this module in Add Modules. See How to add or remove a module. - Configure these settings.
HTTP Header Header Length Specifies the maximum acceptable size in bytes of all HTTP header lines.
Attack log messages contain
Total Size of All Headers Too Large
when this feature detects a header size buffer overflow attempt.Header Name Length Specifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:
,Content-Type:
,User-Agent:
).Header Value Length Specifies the maximum acceptable size in bytes of a single HTTP header value. Number of Cookies in Request Specifies the maximum acceptable number of cookies in an HTTP request.
Attack log messages contain
Too Many Cookies in Request
when this feature detects a cookie count buffer overflow attempt.Number of Ranges in Range Header Specifies the maximum acceptable number of range: lines in each HTTP header.
Attack log messages contain
Too Many Range Headers
when this feature detects too manyRange:
header lines.Redundant HTTP Headers Enable to check whether a HTTP request contains multiple instances of Content-Length
(only for HTTP/1.x),Content-Type
(for both HTTP/1.x and HTTP/2) andHost
(for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.HTTP Parameter Total URL Parameter Length Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a
?
, such as:/url?
parameter1=value1¶meter2=value2.The count does not include:
- Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
- Parameters in the HTTP body, which can occur with HTTP
POST
requests.
Attack log messages contain
Total URL Parameters Length Exceeded
when this feature detects a URL parameter line length buffer overflow attempt.Number of URL Parameter Specifies the maximum number of parameters in the URL.
It does not include parameters in the HTTP body, which can occur with HTTP
POST
requests.Attack log messages contain
Too Many Parameters in Request
when this feature detects a URL parameter count buffer overflow attempt.Maximum URL Parameter Name Length Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example,
user
in the requestGET /index.php?user=test&sid=1234
is an illegal parameter name if you set the limitation as 3.Maximum URL Parameter Value Length Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example,
1234
in the requestGET /index.php?user=test&sid=1234
is an illegal parameter value if you set the limitation as 3.Duplicate Parameter Name Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:
- There are duplicate parameter names in the header.
- There are duplicate parameter names in the body.
- A parameter name in the header is also in the body.
HTTP Request HTTP Request Filename Length Specifies the maximum acceptable length in bytes of the HTTP request filename. Number of Header Lines in Request Specifies the maximum acceptable number of lines in the HTTP header.
Attack log messages contain
Too Many Headers
when this feature detects a header line count buffer overflow attempt.Null Character in URL Enable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0
or%00
). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the/index.php
inGET http://www.server.com/index.php?name=value HTTP 1.1
. Attackers might embed NULL characters in URL to evade detections.Illegal Character in URL Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the
/index.php
inGET http://www.server.com/index.php?name=value HTTP 1.1
.Malformed URL Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g.
http://myserver.com/default.asp
). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.HTTP/2 Max Requests
Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.
HTTP/2 RST Stream
Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.
HTTP/2 RST Stream Frequency
Enable to specify the maximum occurrences of the HTTP/2 RST Stream occurs per second.
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.Alert
Accept the request and generate an alert email and/or log message.
Alert & Deny
Block the request (or reset the connection) and generate an alert email and/or log message.
Deny(no log)
Block the request (or reset the connection).
- Click SAVE.