Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 7.6.5 Administration Guide
    7.6.5
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Link cloaking

    Link cloaking

    To prevent web pages in your application from being scanned by web crawlers and scanning software, you can use link cloaking to transform the fixed links to automatically generated links by JavaScript codes. For example, <a href="https://www.google.com" target="blank" class="button"> will be transformed to <a id="fwb_4069875712" target="blank" class="button"> so that the crawlers can't recognize it. When the link is loaded in the client's browser, it will be re-converted to the original link.

    Link cloaking supports processing the following link tags: <a>, <form>, <img>, <link>, and <object>.

    FortiWeb has a similar feature which processes URL links, that is, URL Encryption. URL Encryption encrypts the domain directory, so that the attack can't guess the URLs of internal pages that are not directly linked from the home page. For instance, an attacker could manually modify the URL to access example.com/admin or example.com/backups, hoping these directories are poorly secured or not monitored.

    While Link cloaking processes the links presented on a web page. It searches the link tags such as <a> and <form> on a web page and obscure the links so that web crawlers can't recognize them.

    Before After
    URL Encryption

    User Account Page URL:

    https://www.secureshop.com/user/account/12345

    Order History URL:

    https://www.secureshop.com/orders/history

    Encrypted User Account Page URL: https://www.secureshop.com/7d93jd83jd3f

    Encrypted Order History URL: https://www.secureshop.com/8fh83hf8hf8h
    Link Cloaking

    URL link on a page:

    <a href="https://www.secureshop.com/login" target="blank" class="button">

    Cloaked Link:

    <a id="fwb_4069875712" target="blank" class="button">

    , for example, , instead, it encrypts the link itself. For example, <a href="https://example/login"> will be transformed to <a href="EncryptedCode"> by URL Encryption. It can't prevent the links from being scanned by web crawlers because the link tag href is still there.

    To configure a link cloaking rule:

    1. Go to Web Protection > Advanced Protection > Link Cloaking.
    2. Select Link Cloaking Rule.
    3. Configure the following settings.
      NameEnter a name for the rule.
      Host StatusEnable to require that the Host: field of the HTTP request matches a protected host name entry in order to match the link cloaking rule.
      HostSelect the protected host names entry (either a web host name or a IP address) that the Host: field of the HTTP request must be in to match the rule.
      Type

      Select whether the URL Pattern field must contain either:

      • Simple String—The field is a string that the request URL must match exactly.

      • Regular Expression—The field is a regular expression that defines a set of matching URLs.

      URL Pattern

      Depending on your selection in Type, enter either:

      • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
      • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.

      Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      FortiWeb will find the link tags on the matched URL pages, then encrypt the links.

    4. Click OK.
    5. If you want to exclude certain links from Link Cloaking, click Create New to add it in the Exception List. Then type a literal URL or use regular expression to match multiple URLs.

    To configure a Link Cloaking policy:

    1. Go to Web Protection > Advanced Protection > Link Cloaking
    2. Select Link Cloaking Policy.
    3. Enter a name for the Link Cloaking policy.
    4. Click OK.
    5. Click Create New to add Link Cloaking rules in the policy.
    6. Select the Link Cloaking rule.
    7. Click OK.

    To use this policy, you need to refer it in a web protection profile.

    Previous
    Next

    Link cloaking

    Link cloaking

    To prevent web pages in your application from being scanned by web crawlers and scanning software, you can use link cloaking to transform the fixed links to automatically generated links by JavaScript codes. For example, <a href="https://www.google.com" target="blank" class="button"> will be transformed to <a id="fwb_4069875712" target="blank" class="button"> so that the crawlers can't recognize it. When the link is loaded in the client's browser, it will be re-converted to the original link.

    Link cloaking supports processing the following link tags: <a>, <form>, <img>, <link>, and <object>.

    FortiWeb has a similar feature which processes URL links, that is, URL Encryption. URL Encryption encrypts the domain directory, so that the attack can't guess the URLs of internal pages that are not directly linked from the home page. For instance, an attacker could manually modify the URL to access example.com/admin or example.com/backups, hoping these directories are poorly secured or not monitored.

    While Link cloaking processes the links presented on a web page. It searches the link tags such as <a> and <form> on a web page and obscure the links so that web crawlers can't recognize them.

    Before After
    URL Encryption

    User Account Page URL:

    https://www.secureshop.com/user/account/12345

    Order History URL:

    https://www.secureshop.com/orders/history

    Encrypted User Account Page URL: https://www.secureshop.com/7d93jd83jd3f

    Encrypted Order History URL: https://www.secureshop.com/8fh83hf8hf8h
    Link Cloaking

    URL link on a page:

    <a href="https://www.secureshop.com/login" target="blank" class="button">

    Cloaked Link:

    <a id="fwb_4069875712" target="blank" class="button">

    , for example, , instead, it encrypts the link itself. For example, <a href="https://example/login"> will be transformed to <a href="EncryptedCode"> by URL Encryption. It can't prevent the links from being scanned by web crawlers because the link tag href is still there.

    To configure a link cloaking rule:

    1. Go to Web Protection > Advanced Protection > Link Cloaking.
    2. Select Link Cloaking Rule.
    3. Configure the following settings.
      NameEnter a name for the rule.
      Host StatusEnable to require that the Host: field of the HTTP request matches a protected host name entry in order to match the link cloaking rule.
      HostSelect the protected host names entry (either a web host name or a IP address) that the Host: field of the HTTP request must be in to match the rule.
      Type

      Select whether the URL Pattern field must contain either:

      • Simple String—The field is a string that the request URL must match exactly.

      • Regular Expression—The field is a regular expression that defines a set of matching URLs.

      URL Pattern

      Depending on your selection in Type, enter either:

      • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
      • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.

      Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      FortiWeb will find the link tags on the matched URL pages, then encrypt the links.

    4. Click OK.
    5. If you want to exclude certain links from Link Cloaking, click Create New to add it in the Exception List. Then type a literal URL or use regular expression to match multiple URLs.

    To configure a Link Cloaking policy:

    1. Go to Web Protection > Advanced Protection > Link Cloaking
    2. Select Link Cloaking Policy.
    3. Enter a name for the Link Cloaking policy.
    4. Click OK.
    5. Click Create New to add Link Cloaking rules in the policy.
    6. Select the Link Cloaking rule.
    7. Click OK.

    To use this policy, you need to refer it in a web protection profile.

    Previous
    Next