XML Protection
XML is commonly used for data exchange, and hackers sometimes try to exploit security holes in XML code to attack web servers. XML Protection examines client requests for anomalies in XML code, and also attempts to validate the structure of XML code in client requests using trusted XML schema files.
If your API interfaces are implemented using XML, you can configure XML protection rules to ensure that the content of XML API requests does not contain any potential attacks.
To create an XML protection rule
- Go to API PROTECTION > XML Protection.
You must have already enabled this module in Add Modules. See How to add or remove a module. - Click +Create XML Protection Rule.
- Configure these settings.
Name
Enter a name for the XML protection rule.
Request URL
Type the URL used to match requests, such as
/upload.php
, or use wildcards to match multiple URLs, such as/folder1/*
or/folder1/*/index.htm
. The URL must begin with a slash ( / ).Notes: For those requests whose URLs don't match with the Request URL, FortiWeb Cloud will not apply XML Validation rule on them.
XML Limits
Enable to define limits for attributes, CDATA, and elements.
Enable to import XML schema files to check XML contents in HTTP requests.
XML schema files specify the acceptable structure of and elements in an XML document.
Make sure the schema file doesn't contain any structural error, otherwise the XML Protection Rule will not take effect.
Schema File
Upload an acceptable XML schema file.
Available only when Schema Validation is enabled.
Forbid XML Entities
Enable to configure limits for the XML entities.
- Click OK.
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.Alert
Accept the request and generate an alert email and/or log message.
Alert & Deny
Block the request (or reset the connection) and generate an alert email and/or log message.
Deny(no log)
Block the request (or reset the connection).
- Click SAVE.