Fortinet black logo

CLI Reference

waf http-header-security

waf http-header-security

Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

For more information on HTTP Header Security, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config waf http-header-security

edit "<http-header-security_name>"

config http-header-security-list

set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy}

set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

set custom-value <custom-value_str>

set allow-from-source "<allow-from_str>"

set request-type {plain | regular}

set request-file "<request-file_str>"

set request-status {enable | disable}

next

end

next

end

Variable Description Default

"<http-header-security_name>"

Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

request-status {enable | disable}

Enable to set a URL Filter. disable

request-type {plain | regular}

Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

request-file "<request-file_str>"

Sets the Request URL for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

<entry-index_int>

Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy}

Defines the Secure Header Type in the Secure Header Rule. The following options are available:

  • x-frame-options—Prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.
  • x-content-type-options—Prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.
  • x-xss-protection—Enables a browser's built-in Cross-site scripting (XSS) protection.
No default.

value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

Defines the response according to the defined Secure Header Type.

The x-frame-options header can be implemented with one of the following options:

  • deny—The browser will not allow any frame to be displayed.
  • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
  • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

The x-content-type-options header can be implemented with one option:

  • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

The x-xss-protection header can be implemented with one of the following options:

  • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
  • block-mode—The browser will block the page when a XSS attack is detected.
No default.

allow-from-source "<allow-from_str>"

Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy} is x-frame-options and the Header Value is set to allow-from. No default.
custom-value <custom-value_str>

Example

This example creates a HTTP header security policy.

config waf http-header-security

edit http_header_security1

set request-status enable

set request-type plain

set request-file "/bWAPP/clickjacking.php"

config http-header-security-list

edit 1

set name x-content-type-options

set value nosniff

next

edit 2

set name x-frame-options

set value deny

next

edit 3

set name x-xss-protection

set value block-mode

next

next

end

waf http-header-security

Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

For more information on HTTP Header Security, see the FortiWeb Administration Guide:

https://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config waf http-header-security

edit "<http-header-security_name>"

config http-header-security-list

set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy}

set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

set custom-value <custom-value_str>

set allow-from-source "<allow-from_str>"

set request-type {plain | regular}

set request-file "<request-file_str>"

set request-status {enable | disable}

next

end

next

end

Variable Description Default

"<http-header-security_name>"

Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

request-status {enable | disable}

Enable to set a URL Filter. disable

request-type {plain | regular}

Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

request-file "<request-file_str>"

Sets the Request URL for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

<entry-index_int>

Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy}

Defines the Secure Header Type in the Secure Header Rule. The following options are available:

  • x-frame-options—Prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.
  • x-content-type-options—Prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.
  • x-xss-protection—Enables a browser's built-in Cross-site scripting (XSS) protection.
No default.

value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

Defines the response according to the defined Secure Header Type.

The x-frame-options header can be implemented with one of the following options:

  • deny—The browser will not allow any frame to be displayed.
  • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
  • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

The x-content-type-options header can be implemented with one option:

  • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

The x-xss-protection header can be implemented with one of the following options:

  • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
  • block-mode—The browser will block the page when a XSS attack is detected.
No default.

allow-from-source "<allow-from_str>"

Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy} is x-frame-options and the Header Value is set to allow-from. No default.
custom-value <custom-value_str>

Example

This example creates a HTTP header security policy.

config waf http-header-security

edit http_header_security1

set request-status enable

set request-type plain

set request-file "/bWAPP/clickjacking.php"

config http-header-security-list

edit 1

set name x-content-type-options

set value nosniff

next

edit 2

set name x-frame-options

set value deny

next

edit 3

set name x-xss-protection

set value block-mode

next

next

end