Fortinet white logo
Fortinet white logo

CLI Reference

waf HTTP-header-security

waf HTTP-header-security

Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

For more information on HTTP Header Security, see the FortiWeb Administration Guide:

https://docs.fortinet.com/document/fortiweb

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config waf HTTP-header-security

edit "<HTTP-header-security_name>"

config HTTP-header-security-list

set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy | }

set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

set waf HTTP-header-security

set allow-from-source "<allow-from_str>"

set request-type {plain | regular}

set request-file "<request-file_str>"

set request-status {enable | disable}

next

end

next

end

Variable Description Default

"<HTTP-header-security_name>"

Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

request-status {enable | disable}

Enable to set a URL Filter. disable

request-type {plain | regular}

Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

request-file "<request-file_str>"

Sets the Request URL for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

<entry-index_int>

Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy | }

Defines the Secure Header Type in the Secure Header Rule. The following options are available:

  • x-frame-options—Prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.
  • x-content-type-options—Prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.
  • x-xss-protection—Enables a browser's built-in Cross-site scripting (XSS) protection.
  • content-security-policyFortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.
  • feature-policy—Provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

    For example, fullscreen 'self' https://game.com
    https://map.example.com;geolocation *; camera 'none'

  • referrer-policy—Controls how much referrer information (sent via the Referer header) should be included with requests.

    The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

  • permissions-policypermissions-policy has been introduced in version 7.4.1 to replace feature-policy in alignment with the industry standard.
    It's recommended to upgrade to permission policy through FortiWeb GUI, because it provides a Validate button to to check syntax errors that are introduced by changing from feature-policy to permissions-policy. See "HTTP Security Headers" in FortiWeb Administration Guide.

No default.

value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

Defines the response according to the defined Secure Header Type.

The x-frame-options header can be implemented with one of the following options:

  • deny—The browser will not allow any frame to be displayed.
  • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
  • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

The x-content-type-options header can be implemented with one option:

  • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

The x-xss-protection header can be implemented with one of the following options:

  • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
  • block-mode—The browser will block the page when a XSS attack is detected.
No default.

allow-from-source "<allow-from_str>"

Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy | } is x-frame-options and the Header Value is set to allow-from. No default.

Example

This example creates a HTTP header security policy.

config waf HTTP-header-security

edit HTTP_header_security1

set request-status enable

set request-type plain

set request-file "/bWAPP/clickjacking.php"

config HTTP-header-security-list

edit 1

set name x-content-type-options

set value nosniff

next

edit 2

set name x-frame-options

set value deny

next

edit 3

set name x-xss-protection

set value block-mode

next

next

end

waf HTTP-header-security

waf HTTP-header-security

Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

For more information on HTTP Header Security, see the FortiWeb Administration Guide:

https://docs.fortinet.com/document/fortiweb

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config waf HTTP-header-security

edit "<HTTP-header-security_name>"

config HTTP-header-security-list

set name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy | }

set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

set waf HTTP-header-security

set allow-from-source "<allow-from_str>"

set request-type {plain | regular}

set request-file "<request-file_str>"

set request-status {enable | disable}

next

end

next

end

Variable Description Default

"<HTTP-header-security_name>"

Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

request-status {enable | disable}

Enable to set a URL Filter. disable

request-type {plain | regular}

Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

request-file "<request-file_str>"

Sets the Request URL for the URL Filter.

Available only if request-status {enable | disable} is set to enable.

No default.

<entry-index_int>

Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy | }

Defines the Secure Header Type in the Secure Header Rule. The following options are available:

  • x-frame-options—Prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.
  • x-content-type-options—Prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.
  • x-xss-protection—Enables a browser's built-in Cross-site scripting (XSS) protection.
  • content-security-policyFortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.
  • feature-policy—Provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

    For example, fullscreen 'self' https://game.com
    https://map.example.com;geolocation *; camera 'none'

  • referrer-policy—Controls how much referrer information (sent via the Referer header) should be included with requests.

    The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

  • permissions-policypermissions-policy has been introduced in version 7.4.1 to replace feature-policy in alignment with the industry standard.
    It's recommended to upgrade to permission policy through FortiWeb GUI, because it provides a Validate button to to check syntax errors that are introduced by changing from feature-policy to permissions-policy. See "HTTP Security Headers" in FortiWeb Administration Guide.

No default.

value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

Defines the response according to the defined Secure Header Type.

The x-frame-options header can be implemented with one of the following options:

  • deny—The browser will not allow any frame to be displayed.
  • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
  • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

The x-content-type-options header can be implemented with one option:

  • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

The x-xss-protection header can be implemented with one of the following options:

  • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
  • block-mode—The browser will block the page when a XSS attack is detected.
No default.

allow-from-source "<allow-from_str>"

Sets the specified domain if the name {x-content-type-options | x-frame-options | x-xss-protection | content-security-policy | feature-policy | referrer-policy | } is x-frame-options and the Header Value is set to allow-from. No default.

Example

This example creates a HTTP header security policy.

config waf HTTP-header-security

edit HTTP_header_security1

set request-status enable

set request-type plain

set request-file "/bWAPP/clickjacking.php"

config HTTP-header-security-list

edit 1

set name x-content-type-options

set value nosniff

next

edit 2

set name x-frame-options

set value deny

next

edit 3

set name x-xss-protection

set value block-mode

next

next

end