Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 7.6.6 Administration Guide
    7.6.6
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    HTTP Header Security

    HTTP Header Security

    HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    When FortiWeb's HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb can insert into responses:

    FortiWeb security headers
    X-Frame-Options

    This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

    The X-Frame-Options header can be implemented with one of the following options:

    • DENY: The browser will not allow any frame to be displayed.
    • SAMEORIGIN: The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • ALLOW-FROM: The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.
    X-Content-Type-Options

    This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

    The X-Content-Type-Options header can be implemented with one option:

    • nosniff: The browser will not guess any content type that is not explicitly specified when downloading extensions.
    X-XSS-Protection

    This header enables a browser's built-in Cross-site scripting (XSS) protection.

    The X-XSS-Protection header can be implemented with one of the following options:

    • Sanitizing Mode: The browser will sanitize the malicious scripts when a XSS attack is detected.
    • Block Mode: The browser will block the page when a XSS attack is detected.
    Content-Security-Policy

    FortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.

    Feature-Policy/Permission Policy

    Provide a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

    For example, fullscreen 'self' https://game.com

    https://map.example.com;geolocation *; camera 'none'
    Referrer-Policy

    Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

    The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".
    To configure an HTTP header security policy
    1. Go to Web Protection > Advanced Protection > HTTP Header Security and select an existing policy or create a new one. If creating a new policy, the maximum length of the name is 63 characters; special characters are prohibited.
    2. If you created a new policy, click OK to save it. If editing an existing policy, select it and click Edit.
    3. Select an existing rule to edit or create a new one in Secure Header Table.
    4. Configure these settings:
      5. URL Filter

      Click to enable or disable URL filter:

      • Enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified Request URL.
      • Disable: All responses will be processed with the selected security header(s).
      Request URL Type

      Select Simple String to match the URL of requests with a literal URL specified in Request URL.

      Select Regular Expression to match the URL of requests with a regular expression specified in Request URL.

      Note: this is available only when URL Filter is enabled.

      Request URL

      Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

      if Simple String is selected in Request URL Type, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

      If Regular Expression is selected, enter a regular expression.

      After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Note: this is available only when URL Filter is enabled.
      Secure Header Type

      Select the security header to be inserted into the responses.

      • X-Frame-Options
      • X-Content-Type-Options
      • X-XSS-Protection
      • Content-Security-Policy
      • Feature-Policy/Permission Policy
      • Referrer-Policy

      For details, see FortiWeb security headers.

      Note: Since 7.4.1, The feature-policy is updated to permission-policy in alignment with the industry standard. You can click the Upgrade button to upgrade to permission-policy, then click Validate to check syntax errors that are introduced by the upgrade if any.

      Header Value

      Specify the value for the selected security header.

      If you want to match multiple values, the best practice is to list them on a single line, separated by semicolons ";" rather than setting up individual rules for each value.

      If X-Frame-Options is selected, the options will be:

      • DENY
      • SAMEORIGIN
      • ALLOW-FROM

      If X-Content-Type-Options is selected, the option will be:

      • nosniff

      If X-XSS-Protection is selected, the options will be:

      • Sanitizing Mode
      • Block Mode

      If Content-Security-Policy is selected, enter the header value(s) that your server will specify to set restrictions on resource types and sources. For example, you could enter default-src 'self';script-src 'self';object-src 'self'.
      Allowed From URL

      It will require you to specify a URI (Uniform Resource Identifier) if header X-Frame-Options and the option ALLOW-FROM are selected.

      For details, see FortiWeb security headers.

      Exception

      Select an Exception to exclude certain client or request URL from the HTTP header security policy. See "To configure an HTTP header security exception".
    5. Click OK to save the configuration.
    6. To use this HTTP Header Security policy in a protection profile, go to Policy > Web Protection Profile and configure an inline protection profile with the HTTP Header Security policy. For details, see HTTP Header Security.
    To configure an HTTP header security exception

    If you want to exclude certain client or request URL from the HTTP header security policy, you can add an exception rule.

    1. Go to Web Protection > Advanced Protection > HTTP Header Security and select the HTTP Header Security Policy Exception.
    2. Click Create New.
    3. Enter a name for the Exception.
    4. Click OK.
    5. Click Create New.
    6. Configure the following settings.

      Client IP

      Enable to exclude HTTP header security policy based on Client IP address.

      IPv4/IPv6/IP Range

      Specify the client IP address or IP range that FortiWeb uses to determine whether or not to insert security headers to the responses.

      Request URL Type

      Select whether the Request URL field must contain either:

      • Simple String—The field is a string that the request URL must match exactly.

      • Regular Expression—The field is a regular expression that defines a set of matching URLs.

      Request URL

      Depending on your selection in Type, enter either:

      • Simple String—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).

      • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

      Do not include the domain name, such as www.example.com, which is configured separately in Host.

    7. Click OK.
    8. Reference the Exception in an HTTP Header Security Policy.
    Previous
    Next

    HTTP Header Security

    HTTP Header Security

    HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    When FortiWeb's HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb can insert into responses:

    FortiWeb security headers
    X-Frame-Options

    This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

    The X-Frame-Options header can be implemented with one of the following options:

    • DENY: The browser will not allow any frame to be displayed.
    • SAMEORIGIN: The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • ALLOW-FROM: The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.
    X-Content-Type-Options

    This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

    The X-Content-Type-Options header can be implemented with one option:

    • nosniff: The browser will not guess any content type that is not explicitly specified when downloading extensions.
    X-XSS-Protection

    This header enables a browser's built-in Cross-site scripting (XSS) protection.

    The X-XSS-Protection header can be implemented with one of the following options:

    • Sanitizing Mode: The browser will sanitize the malicious scripts when a XSS attack is detected.
    • Block Mode: The browser will block the page when a XSS attack is detected.
    Content-Security-Policy

    FortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.

    Feature-Policy/Permission Policy

    Provide a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

    For example, fullscreen 'self' https://game.com

    https://map.example.com;geolocation *; camera 'none'
    Referrer-Policy

    Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

    The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".
    To configure an HTTP header security policy
    1. Go to Web Protection > Advanced Protection > HTTP Header Security and select an existing policy or create a new one. If creating a new policy, the maximum length of the name is 63 characters; special characters are prohibited.
    2. If you created a new policy, click OK to save it. If editing an existing policy, select it and click Edit.
    3. Select an existing rule to edit or create a new one in Secure Header Table.
    4. Configure these settings:
      5. URL Filter

      Click to enable or disable URL filter:

      • Enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified Request URL.
      • Disable: All responses will be processed with the selected security header(s).
      Request URL Type

      Select Simple String to match the URL of requests with a literal URL specified in Request URL.

      Select Regular Expression to match the URL of requests with a regular expression specified in Request URL.

      Note: this is available only when URL Filter is enabled.

      Request URL

      Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

      if Simple String is selected in Request URL Type, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

      If Regular Expression is selected, enter a regular expression.

      After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

      Note: this is available only when URL Filter is enabled.
      Secure Header Type

      Select the security header to be inserted into the responses.

      • X-Frame-Options
      • X-Content-Type-Options
      • X-XSS-Protection
      • Content-Security-Policy
      • Feature-Policy/Permission Policy
      • Referrer-Policy

      For details, see FortiWeb security headers.

      Note: Since 7.4.1, The feature-policy is updated to permission-policy in alignment with the industry standard. You can click the Upgrade button to upgrade to permission-policy, then click Validate to check syntax errors that are introduced by the upgrade if any.

      Header Value

      Specify the value for the selected security header.

      If you want to match multiple values, the best practice is to list them on a single line, separated by semicolons ";" rather than setting up individual rules for each value.

      If X-Frame-Options is selected, the options will be:

      • DENY
      • SAMEORIGIN
      • ALLOW-FROM

      If X-Content-Type-Options is selected, the option will be:

      • nosniff

      If X-XSS-Protection is selected, the options will be:

      • Sanitizing Mode
      • Block Mode

      If Content-Security-Policy is selected, enter the header value(s) that your server will specify to set restrictions on resource types and sources. For example, you could enter default-src 'self';script-src 'self';object-src 'self'.
      Allowed From URL

      It will require you to specify a URI (Uniform Resource Identifier) if header X-Frame-Options and the option ALLOW-FROM are selected.

      For details, see FortiWeb security headers.

      Exception

      Select an Exception to exclude certain client or request URL from the HTTP header security policy. See "To configure an HTTP header security exception".
    5. Click OK to save the configuration.
    6. To use this HTTP Header Security policy in a protection profile, go to Policy > Web Protection Profile and configure an inline protection profile with the HTTP Header Security policy. For details, see HTTP Header Security.
    To configure an HTTP header security exception

    If you want to exclude certain client or request URL from the HTTP header security policy, you can add an exception rule.

    1. Go to Web Protection > Advanced Protection > HTTP Header Security and select the HTTP Header Security Policy Exception.
    2. Click Create New.
    3. Enter a name for the Exception.
    4. Click OK.
    5. Click Create New.
    6. Configure the following settings.

      Client IP

      Enable to exclude HTTP header security policy based on Client IP address.

      IPv4/IPv6/IP Range

      Specify the client IP address or IP range that FortiWeb uses to determine whether or not to insert security headers to the responses.

      Request URL Type

      Select whether the Request URL field must contain either:

      • Simple String—The field is a string that the request URL must match exactly.

      • Regular Expression—The field is a regular expression that defines a set of matching URLs.

      Request URL

      Depending on your selection in Type, enter either:

      • Simple String—The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).

      • Regular Expression—A regular expression, such as ^/*.php, matching the URLs to which the rule should apply. The pattern does not require a slash ( / ), but it must match URLs that begin with a slash, such as /index.cfm.

      Do not include the domain name, such as www.example.com, which is configured separately in Host.

    7. Click OK.
    8. Reference the Exception in an HTTP Header Security Policy.
    Previous
    Next