waf http-header-security
Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.
For more information on HTTP Header Security, see the FortiWeb Administration Guide:
https://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the admingrp
area. For details, see Permissions.
Syntax
config waf http-header-security
edit "<http-header-security_name>"
config http-header-security-list
set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy}
set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}
set custom-value <custom-value_str>
set allow-from-source "<allow-from_str>"
set request-type {plain | regular}
set request-file "<request-file_str>"
set request-status {enable | disable}
next
end
next
end
Variable | Description | Default |
Enter of name of an HTTP header security policy. The maximum length is 63 characters. | No default. | |
Enable to set a URL Filter. |
disable
|
|
Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter. Available only if request-status {enable | disable} is set to |
No default. | |
Sets the Request URL for the URL Filter. Available only if request-status {enable | disable} is set to |
No default. | |
Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. | No default. | |
name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy} |
Defines the Secure Header Type in the Secure Header Rule. The following options are available:
|
No default. |
value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode} |
Defines the response according to the defined Secure Header Type. The
The
The
|
No default. |
Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy} is x-frame-options and the Header Value is set to allow-from . |
No default. | |
custom-value <custom-value_str>
|
Example
This example creates a HTTP header security policy.
config waf http-header-security
edit http_header_security1
set request-status enable
set request-type plain
set request-file "/bWAPP/clickjacking.php"
config http-header-security-list
edit 1
set name x-content-type-options
set value nosniff
next
edit 2
set name x-frame-options
set value deny
next
edit 3
set name x-xss-protection
set value block-mode
next
next
end