Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 7.6.5 Administration Guide
    7.6.5
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    WAF features against OWASP Top 10 Client-Side security risks

    WAF features against OWASP Top 10 Client-Side security risks

    Since modern web apps rely heavily on JavaScript, APIs, and third-party integrations, the browser becomes a critical attack surface. Attacks that target the browser specifically focus on exploiting the environment in which web pages are rendered, rather than attacking the server. These attacks aim to steal sensitive data, manipulate content, or compromise user behavior — often silently.

    FortiWeb actively prevents and mitigates these attacks by controlling how browsers behave, validating resource integrity, and securing sensitive data. Its layered protection strategy provides defense before, during, and even after the browser is comprised.

    Here are the key features FortiWeb employs to defend against client side security risks.

    Man-in-the-Browser (MitB) Protection

    FortiWeb's MitB Protection safeguards user inputs from Man-in-the-Browser attacks by implementing advanced security measures such as input obfuscation, encryption, anti-keylogger mechanisms, and an Ajax request allow list. These features work together to prevent malware from intercepting or altering sensitive information like passwords and payment details, ensuring that user data remains secure even if the browser is compromised.
    HTTP Security Headers

    		 FortiWeb's HTTP Security Headers feature adds security-focused HTTP headers, including X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Feature-Policy, Referrer-Policy, X-XSS-Protection, etc. to server responses. These headers enforce security policies in client browsers, mitigating risks such as clickjacking, MIME-type sniffing, and cross-site scripting (XSS), thereby improving protection during request handling.
    Subresource Integrity Check
    		 Most modern websites rely on third-party sources—like CDNs—to load scripts and stylesheets. But what if one of those external files is compromised? FortiWeb’s Subresource Integrity (SRI) Check feature helps protect against this by enforcing hash-based verification. It ensures that the scripts or styles are executed only if their content matches a known, trusted cryptographic hash.
    Cookie Security

    FortiWeb's Cookie Security module protects web application cookies by encrypting their contents, enforcing HTTPOnly, SameSite and Secure flags to prevent access by scripts and ensure transmission over HTTPS, and verifying cookie integrity with digital signatures. These features also include session cookie protection, and setting cookie expiration and path restrictions. Together, they safeguard against common cookie-related attacks like session hijacking, XSS, and man-in-the-middle attacks, ensuring cookies remain secure and tamper-proof throughout their lifecycle.
    CORS Protection

    Malicious extensions or injected scripts from web frontends may try to send cross-origin requests to your application’s APIs. These requests might attempt to read sensitive data, such as user details or session tokens, from your backend.

    FortiWeb’s CORS Protection feature allows you to enforce strict rules on which external origins can access your application’s resources—blocking unauthorized cross-origin requests before they ever reach your backend.

    Client Side Protection

    FortiWeb’s Client-Side Protection feature automatically scans and analyzes all third-party services and scripts loaded by your web application. It helps you monitor client-side risks and take action directly, without requiring manual tracking of external dependencies.
    Previous
    Next

    WAF features against OWASP Top 10 Client-Side security risks

    WAF features against OWASP Top 10 Client-Side security risks

    Since modern web apps rely heavily on JavaScript, APIs, and third-party integrations, the browser becomes a critical attack surface. Attacks that target the browser specifically focus on exploiting the environment in which web pages are rendered, rather than attacking the server. These attacks aim to steal sensitive data, manipulate content, or compromise user behavior — often silently.

    FortiWeb actively prevents and mitigates these attacks by controlling how browsers behave, validating resource integrity, and securing sensitive data. Its layered protection strategy provides defense before, during, and even after the browser is comprised.

    Here are the key features FortiWeb employs to defend against client side security risks.

    Man-in-the-Browser (MitB) Protection

    FortiWeb's MitB Protection safeguards user inputs from Man-in-the-Browser attacks by implementing advanced security measures such as input obfuscation, encryption, anti-keylogger mechanisms, and an Ajax request allow list. These features work together to prevent malware from intercepting or altering sensitive information like passwords and payment details, ensuring that user data remains secure even if the browser is compromised.
    HTTP Security Headers

    		 FortiWeb's HTTP Security Headers feature adds security-focused HTTP headers, including X-Frame-Options, X-Content-Type-Options, Content-Security-Policy, Feature-Policy, Referrer-Policy, X-XSS-Protection, etc. to server responses. These headers enforce security policies in client browsers, mitigating risks such as clickjacking, MIME-type sniffing, and cross-site scripting (XSS), thereby improving protection during request handling.
    Subresource Integrity Check
    		 Most modern websites rely on third-party sources—like CDNs—to load scripts and stylesheets. But what if one of those external files is compromised? FortiWeb’s Subresource Integrity (SRI) Check feature helps protect against this by enforcing hash-based verification. It ensures that the scripts or styles are executed only if their content matches a known, trusted cryptographic hash.
    Cookie Security

    FortiWeb's Cookie Security module protects web application cookies by encrypting their contents, enforcing HTTPOnly, SameSite and Secure flags to prevent access by scripts and ensure transmission over HTTPS, and verifying cookie integrity with digital signatures. These features also include session cookie protection, and setting cookie expiration and path restrictions. Together, they safeguard against common cookie-related attacks like session hijacking, XSS, and man-in-the-middle attacks, ensuring cookies remain secure and tamper-proof throughout their lifecycle.
    CORS Protection

    Malicious extensions or injected scripts from web frontends may try to send cross-origin requests to your application’s APIs. These requests might attempt to read sensitive data, such as user details or session tokens, from your backend.

    FortiWeb’s CORS Protection feature allows you to enforce strict rules on which external origins can access your application’s resources—blocking unauthorized cross-origin requests before they ever reach your backend.

    Client Side Protection

    FortiWeb’s Client-Side Protection feature automatically scans and analyzes all third-party services and scripts loaded by your web application. It helps you monitor client-side risks and take action directly, without requiring manual tracking of external dependencies.
    Previous
    Next