Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • User Guide

    Home FortiWeb Cloud User Guide

    Mobile API Protection

    Mobile API Protection

    When a client accesses a web server from a mobile application, the Mobile API Protection module checks whether the request carries the JWT-token header and whether the token carried is valid for the following three cases:

    • The request doesn't carry the JWT-token header;
    • The request carries the JWT-token header and the token is valid;
    • The request carries the JWT-token header and the token is invalid.

    Based on the token and request URL, FortiWeb Cloud takes related actions to avoid potential attacks.

    1. Go to API Protection > Mobile API Protection.
      You must have already enabled this module in Add Modules. See How to add or remove a module.
    2. Configure these settings.

      Token Secret

      Enter the JWT-token secret that you get from the Approov platform.
      Refer to Approov doc for how to get the token.

      Token Header

      Indicate the header that carries the JWT-token in the request.

      Request URL

      Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

      Alert

      Accept the request and generate an alert email and/or log message.

      Alert & Deny

      Block the request (or reset the connection) and generate an alert email and/or log message.

      Deny(no log)

      Block the request (or reset the connection).

    4. Click SAVE.
    Previous
    Next

    Mobile API Protection

    Mobile API Protection

    When a client accesses a web server from a mobile application, the Mobile API Protection module checks whether the request carries the JWT-token header and whether the token carried is valid for the following three cases:

    • The request doesn't carry the JWT-token header;
    • The request carries the JWT-token header and the token is valid;
    • The request carries the JWT-token header and the token is invalid.

    Based on the token and request URL, FortiWeb Cloud takes related actions to avoid potential attacks.

    1. Go to API Protection > Mobile API Protection.
      You must have already enabled this module in Add Modules. See How to add or remove a module.
    2. Configure these settings.

      Token Secret

      Enter the JWT-token secret that you get from the Approov platform.
      Refer to Approov doc for how to get the token.

      Token Header

      Indicate the header that carries the JWT-token in the request.

      Request URL

      Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

      Alert

      Accept the request and generate an alert email and/or log message.

      Alert & Deny

      Block the request (or reset the connection) and generate an alert email and/or log message.

      Deny(no log)

      Block the request (or reset the connection).

    4. Click SAVE.
    Previous
    Next