Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiWeb 7.4.0 CLI Reference
    7.4.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0

    waf HTTP-header-security

    waf HTTP-header-security

    Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    For more information on HTTP Header Security, see the FortiWeb Administration Guide:

    HTTPS://docs.fortinet.com/fortiweb/admin-guides

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config waf HTTP-header-security

    edit "<HTTP-header-security_name>"

    config HTTP-header-security-list

    set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy}

    set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    set waf HTTP-header-security

    set allow-from-source "<allow-from_str>"

    set request-type {plain | regular}

    set request-file "<request-file_str>"

    set request-status {enable | disable}

    next

    end

    next

    end

    Variable Description Default

    "<HTTP-header-security_name>"

    		 Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

    request-status {enable | disable}

    		 Enable to set a URL Filter. disable

    request-type {plain | regular}

    Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    request-file "<request-file_str>"

    Sets the Request URL for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    <entry-index_int>

    		 Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

    name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy}

    Defines the Secure Header Type in the Secure Header Rule. The following options are available:

    • x-frame-options—Prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.
    • x-content-type-options—Prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.
    • x-xss-protection—Enables a browser's built-in Cross-site scripting (XSS) protection.
    • content-security-policyFortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.
    • feature-policy—Provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

      For example, fullscreen 'self' HTTPS://game.com
      HTTPS://map.example.com;geolocation *; camera 'none'

    • referrer-policy—Controls how much referrer information (sent via the Referer header) should be included with requests.

      The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

    		 No default.

    value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    Defines the response according to the defined Secure Header Type.

    The x-frame-options header can be implemented with one of the following options:

    • deny—The browser will not allow any frame to be displayed.
    • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

    The x-content-type-options header can be implemented with one option:

    • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

    The x-xss-protection header can be implemented with one of the following options:

    • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
    • block-mode—The browser will block the page when a XSS attack is detected.
    		 No default.

    allow-from-source "<allow-from_str>"

    		 Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy} is x-frame-options and the Header Value is set to allow-from. No default.

    Example

    This example creates a HTTP header security policy.

    config waf HTTP-header-security

    edit HTTP_header_security1

    set request-status enable

    set request-type plain

    set request-file "/bWAPP/clickjacking.php"

    config HTTP-header-security-list

    edit 1

    set name x-content-type-options

    set value nosniff

    next

    edit 2

    set name x-frame-options

    set value deny

    next

    edit 3

    set name x-xss-protection

    set value block-mode

    next

    next

    end

    Previous
    Next

    waf HTTP-header-security

    waf HTTP-header-security

    Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    For more information on HTTP Header Security, see the FortiWeb Administration Guide:

    HTTPS://docs.fortinet.com/fortiweb/admin-guides

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config waf HTTP-header-security

    edit "<HTTP-header-security_name>"

    config HTTP-header-security-list

    set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy}

    set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    set waf HTTP-header-security

    set allow-from-source "<allow-from_str>"

    set request-type {plain | regular}

    set request-file "<request-file_str>"

    set request-status {enable | disable}

    next

    end

    next

    end

    Variable Description Default

    "<HTTP-header-security_name>"

    		 Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

    request-status {enable | disable}

    		 Enable to set a URL Filter. disable

    request-type {plain | regular}

    Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    request-file "<request-file_str>"

    Sets the Request URL for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    <entry-index_int>

    		 Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

    name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy}

    Defines the Secure Header Type in the Secure Header Rule. The following options are available:

    • x-frame-options—Prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.
    • x-content-type-options—Prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.
    • x-xss-protection—Enables a browser's built-in Cross-site scripting (XSS) protection.
    • content-security-policyFortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.
    • feature-policy—Provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

      For example, fullscreen 'self' HTTPS://game.com
      HTTPS://map.example.com;geolocation *; camera 'none'

    • referrer-policy—Controls how much referrer information (sent via the Referer header) should be included with requests.

      The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

    		 No default.

    value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    Defines the response according to the defined Secure Header Type.

    The x-frame-options header can be implemented with one of the following options:

    • deny—The browser will not allow any frame to be displayed.
    • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

    The x-content-type-options header can be implemented with one option:

    • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

    The x-xss-protection header can be implemented with one of the following options:

    • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
    • block-mode—The browser will block the page when a XSS attack is detected.
    		 No default.

    allow-from-source "<allow-from_str>"

    		 Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy} is x-frame-options and the Header Value is set to allow-from. No default.

    Example

    This example creates a HTTP header security policy.

    config waf HTTP-header-security

    edit HTTP_header_security1

    set request-status enable

    set request-type plain

    set request-file "/bWAPP/clickjacking.php"

    config HTTP-header-security-list

    edit 1

    set name x-content-type-options

    set value nosniff

    next

    edit 2

    set name x-frame-options

    set value deny

    next

    edit 3

    set name x-xss-protection

    set value block-mode

    next

    next

    end

    Previous
    Next