Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

HTTP Header Security

HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

When enabling this feature, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb Cloud can insert into responses.

To configure HTTP Header Security, you must have already enabled this module in Add Modules. See How to add or remove a module.

X-Frame-Options

This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

X-Content-Type-Options

This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

X-XSS-Protection

This header enables a browser's built-in Cross-site scripting (XSS) protection.

Content-Security-Policy

Enable to prevent certain types of attacks, including XSS and data injection attacks by inserting this header (e.g. default-src 'self'; script-src 'self'; object-src 'self').

HTTP Header Security

HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

When enabling this feature, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb Cloud can insert into responses.

To configure HTTP Header Security, you must have already enabled this module in Add Modules. See How to add or remove a module.

X-Frame-Options

This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

X-Content-Type-Options

This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

X-XSS-Protection

This header enables a browser's built-in Cross-site scripting (XSS) protection.

Content-Security-Policy

Enable to prevent certain types of attacks, including XSS and data injection attacks by inserting this header (e.g. default-src 'self'; script-src 'self'; object-src 'self').