Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 6.3.6 Administration Guide
    6.3.6
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Addressing security vulnerabilities by HTTP Security Headers

    Addressing security vulnerabilities by HTTP Security Headers

    HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    When FortiWeb's HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb can insert into responses:

    FortiWeb security headers
    X-Frame-Options

    This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

    The X-Frame-Options header can be implemented with one of the following options:

    • DENY: The browser will not allow any frame to be displayed.
    • SAMEORIGIN: The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • ALLOW-FROM: The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.
    X-Content-Type-Options

    This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

    The X-Content-Type-Options header can be implemented with one option:

    • nosniff: The browser will not guess any content type that is not explicitly specified when downloading extensions.
    X-XSS-Protection

    This header enables a browser's built-in Cross-site scripting (XSS) protection.

    The X-XSS-Protection header can be implemented with one of the following options:

    • Sanitizing Mode: The browser will sanitize the malicious scripts when a XSS attack is detected.
    • Block Mode: The browser will block the page when a XSS attack is detected.
    Content-Security-Policy

    FortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.

    To configure an HTTP header security policy
    1. Go to Web Protection > Advanced Protection > HTTP Header Security and select an existing policy or create a new one. If creating a new policy, the maximum length of the name is 63 characters; special characters are prohibited.
    2. If you created a new policy, click OK to save it. If editing an existing policy, select it and click Edit.
    3. Select an existing rule to edit or create a new one in Secure Header Table.
    4. Configure these settings:
      5. URL Filter

      Click to enable or disable URL filter:

      • Enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified Request URL.
      • Disable: All responses will be processed with the selected security header(s).
      Request URL Type

      Select Simple String to match the URL of requests with a literal URL specified in Request URL.

      Select Regular Expression to match the URL of requests with a regular expression specified in Request URL.

      Note: this is available only when URL Filter is enabled.

      Request URL

      Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

      if Simple String is selected in Request URL Type, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

      If Regular Expression is selected, enter a regular expression.

      After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Note: this is available only when URL Filter is enabled.
      Secure Header Type

      Select the security header to be inserted into the responses.

      • X-Frame-Options
      • X-Content-Type-Options
      • X-XSS-Protection
      • Content-Security-Policy

      For details, see FortiWeb security headers.
      Header Value

      Select the value for the selected security header.

      If X-Frame-Options is selected, the options will be:

      • DENY
      • SAMEORIGIN
      • ALLOW-FROM

      If X-Content-Type-Options is selected, the option will be:

      • nosniff

      If X-XSS-Protection is selected, the options will be:

      • Sanitizing Mode
      • Block Mode

      If Content-Security-Policy is selected, enter the header value(s) that your server will specify to set restrictions on resource types and sources. For example, you could enter default-src 'self';script-src 'self';object-src 'self'.

      For details, see FortiWeb security headers"FortiWeb security headers" FortiWeb security headers.
      Allowed From URL

      It will require you to specify a URI (Uniform Resource Identifier) if header X-Frame-Options and the option ALLOW-FROM are selected.

      For details, see FortiWeb security headers.
    5. Click OK to save the configuration.
    6. To use this HTTP Header Security policy in a protection profile, go to Policy > Web Protection Profile and configure an inline protection profile with the HTTP Header Security policy. For details, see HTTP Header Security.
    Previous
    Next

    Addressing security vulnerabilities by HTTP Security Headers

    Addressing security vulnerabilities by HTTP Security Headers

    HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    When FortiWeb's HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb can insert into responses:

    FortiWeb security headers
    X-Frame-Options

    This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

    The X-Frame-Options header can be implemented with one of the following options:

    • DENY: The browser will not allow any frame to be displayed.
    • SAMEORIGIN: The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • ALLOW-FROM: The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.
    X-Content-Type-Options

    This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

    The X-Content-Type-Options header can be implemented with one option:

    • nosniff: The browser will not guess any content type that is not explicitly specified when downloading extensions.
    X-XSS-Protection

    This header enables a browser's built-in Cross-site scripting (XSS) protection.

    The X-XSS-Protection header can be implemented with one of the following options:

    • Sanitizing Mode: The browser will sanitize the malicious scripts when a XSS attack is detected.
    • Block Mode: The browser will block the page when a XSS attack is detected.
    Content-Security-Policy

    FortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.

    To configure an HTTP header security policy
    1. Go to Web Protection > Advanced Protection > HTTP Header Security and select an existing policy or create a new one. If creating a new policy, the maximum length of the name is 63 characters; special characters are prohibited.
    2. If you created a new policy, click OK to save it. If editing an existing policy, select it and click Edit.
    3. Select an existing rule to edit or create a new one in Secure Header Table.
    4. Configure these settings:
      5. URL Filter

      Click to enable or disable URL filter:

      • Enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified Request URL.
      • Disable: All responses will be processed with the selected security header(s).
      Request URL Type

      Select Simple String to match the URL of requests with a literal URL specified in Request URL.

      Select Regular Expression to match the URL of requests with a regular expression specified in Request URL.

      Note: this is available only when URL Filter is enabled.

      Request URL

      Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

      if Simple String is selected in Request URL Type, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

      If Regular Expression is selected, enter a regular expression.

      After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Note: this is available only when URL Filter is enabled.
      Secure Header Type

      Select the security header to be inserted into the responses.

      • X-Frame-Options
      • X-Content-Type-Options
      • X-XSS-Protection
      • Content-Security-Policy

      For details, see FortiWeb security headers.
      Header Value

      Select the value for the selected security header.

      If X-Frame-Options is selected, the options will be:

      • DENY
      • SAMEORIGIN
      • ALLOW-FROM

      If X-Content-Type-Options is selected, the option will be:

      • nosniff

      If X-XSS-Protection is selected, the options will be:

      • Sanitizing Mode
      • Block Mode

      If Content-Security-Policy is selected, enter the header value(s) that your server will specify to set restrictions on resource types and sources. For example, you could enter default-src 'self';script-src 'self';object-src 'self'.

      For details, see FortiWeb security headers"FortiWeb security headers" FortiWeb security headers.
      Allowed From URL

      It will require you to specify a URI (Uniform Resource Identifier) if header X-Frame-Options and the option ALLOW-FROM are selected.

      For details, see FortiWeb security headers.
    5. Click OK to save the configuration.
    6. To use this HTTP Header Security policy in a protection profile, go to Policy > Web Protection Profile and configure an inline protection profile with the HTTP Header Security policy. For details, see HTTP Header Security.
    Previous
    Next