Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.0 Administration Guide
    8.0.0
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Expanded HTTP Header Security Support (8.0.0)

    Expanded HTTP Header Security Support (8.0.0)

    FortiWeb 8.0.0 enhances the HTTP Header Security feature—now located under the new Client Side Security module—with support for additional browser-enforced headers. This update improves control over browser behavior, strengthens client-side isolation, and supports FortiWeb’s layered defense strategy for modern web applications.

    HTTP Header Security plays a foundational role FortiWeb's Layered Defense Strategy—Stage 1: Prevent Attacks Before They Happen—where protections are applied before any JavaScript executes. By injecting security headers into server responses, FortiWeb instructs the browser to enforce constraints on script execution, cross-origin access, feature usage, and client-side storage.

    Administrators can configure HTTP Header Security under Web Protection > Client-Side Security > HTTP Header Security, where individual headers can be enabled, customized, and applied through Web Protection Profiles. These profiles are then referenced by Server Policies in inline, reverse proxy, or WCCP deployments.

    This design centralizes control, reduces configuration complexity, and ensures that browser-layer defenses are deployed consistently across all protected applications.

    Why This Matters

    Modern web applications frequently embed third-party content and rely on dynamic scripting. Without strict browser policies, attackers can exploit this flexibility to hijack sessions, steal sensitive data, and abuse cross-origin capabilities.

    FortiWeb’s enhanced HTTP Header Security helps prevent these attacks by:

    • Hardening browser execution environments to enforce isolation and reduce attack surfaces

    • Controlling cross-origin behavior with policies like COOP, COEP, and CORP

    • Enabling safe staging of strict CSP policies using report-only modes

    • Managing browser data and feature permissions through headers like Clear-Site-Data and Permissions-Policy

    These protections reduce reliance on complex JavaScript inspection and offer enforcement directly at the browser level, where they are most effective.

    What’s New in FortiWeb 8.0.0

    The following new headers are now supported:

    Header

    Description

    Content-Security-Policy-Report-Only

    FortiWeb adds the Content-Security-Policy-Report-Only HTTP header to monitor content security policy violations without enforcing restrictions. Use this header to test and fine-tune policy settings by collecting violation reports from the browser.

    Cross-Origin-Resource-Policy (CORP)

    Prevents other origins from loading your resources by enforcing same-origin rules for resource access.

    The Cross-Origin-Resource-Policy header can be configured with one of the following values:

    • same-origin: Only allows the same origin to access the resource.

    • cross-origin: Allows all origins to access the resource.

    • same-site: Allows access from the same site (origin and subdomains).

    Use in conjunction with CORS Protection for more granular control.

    Cross-Origin-Embedder-Policy (COEP)

    Requires cross-origin resources embedded in the page (such as scripts, styles, and images) to explicitly grant permission via CORS or CORP headers.

    The Cross-Origin-Embedder-Policy header can be configured with:

    • require-corp: Embedded resources must send either a valid CORS header or a matching Cross-Origin-Resource-Policy.

    This setting is required for enabling high-privilege APIs like SharedArrayBuffer.

    Cross-Origin-Opener-Policy (COOP)

    Isolates your browsing context from cross-origin popups or tabs to prevent side-channel attacks.

    The Cross-Origin-Opener-Policy header can be configured with:

    • same-origin: Ensures that the opened window does not retain access to window.opener, blocking cross-origin interference.

    Improves security for applications dealing with sensitive data or embedded login flows.

    Clear-Site-Data

    Instructs the browser to clear local storage, cookies, cache, and other site data when triggered (e.g., on logout).

    The Clear-Site-Data header can be configured with:

    • "cookies": Deletes all cookies for the origin.

    • "storage": Clears localStorage, sessionStorage, IndexedDB, and service workers.

    • "cache": Clears HTTP cache.

    • "*": Clears all of the above.

    Improves session cleanup and prevents residual data exposure on shared devices.

    These headers complement existing support for X-Frame-Options and X-XSS-Protection, providing broader and more modern protections aligned with browser security best practices.

    For more information, see HTTP Security Headers.

    Previous
    Next

    Expanded HTTP Header Security Support (8.0.0)

    Expanded HTTP Header Security Support (8.0.0)

    FortiWeb 8.0.0 enhances the HTTP Header Security feature—now located under the new Client Side Security module—with support for additional browser-enforced headers. This update improves control over browser behavior, strengthens client-side isolation, and supports FortiWeb’s layered defense strategy for modern web applications.

    HTTP Header Security plays a foundational role FortiWeb's Layered Defense Strategy—Stage 1: Prevent Attacks Before They Happen—where protections are applied before any JavaScript executes. By injecting security headers into server responses, FortiWeb instructs the browser to enforce constraints on script execution, cross-origin access, feature usage, and client-side storage.

    Administrators can configure HTTP Header Security under Web Protection > Client-Side Security > HTTP Header Security, where individual headers can be enabled, customized, and applied through Web Protection Profiles. These profiles are then referenced by Server Policies in inline, reverse proxy, or WCCP deployments.

    This design centralizes control, reduces configuration complexity, and ensures that browser-layer defenses are deployed consistently across all protected applications.

    Why This Matters

    Modern web applications frequently embed third-party content and rely on dynamic scripting. Without strict browser policies, attackers can exploit this flexibility to hijack sessions, steal sensitive data, and abuse cross-origin capabilities.

    FortiWeb’s enhanced HTTP Header Security helps prevent these attacks by:

    • Hardening browser execution environments to enforce isolation and reduce attack surfaces

    • Controlling cross-origin behavior with policies like COOP, COEP, and CORP

    • Enabling safe staging of strict CSP policies using report-only modes

    • Managing browser data and feature permissions through headers like Clear-Site-Data and Permissions-Policy

    These protections reduce reliance on complex JavaScript inspection and offer enforcement directly at the browser level, where they are most effective.

    What’s New in FortiWeb 8.0.0

    The following new headers are now supported:

    Header

    Description

    Content-Security-Policy-Report-Only

    FortiWeb adds the Content-Security-Policy-Report-Only HTTP header to monitor content security policy violations without enforcing restrictions. Use this header to test and fine-tune policy settings by collecting violation reports from the browser.

    Cross-Origin-Resource-Policy (CORP)

    Prevents other origins from loading your resources by enforcing same-origin rules for resource access.

    The Cross-Origin-Resource-Policy header can be configured with one of the following values:

    • same-origin: Only allows the same origin to access the resource.

    • cross-origin: Allows all origins to access the resource.

    • same-site: Allows access from the same site (origin and subdomains).

    Use in conjunction with CORS Protection for more granular control.

    Cross-Origin-Embedder-Policy (COEP)

    Requires cross-origin resources embedded in the page (such as scripts, styles, and images) to explicitly grant permission via CORS or CORP headers.

    The Cross-Origin-Embedder-Policy header can be configured with:

    • require-corp: Embedded resources must send either a valid CORS header or a matching Cross-Origin-Resource-Policy.

    This setting is required for enabling high-privilege APIs like SharedArrayBuffer.

    Cross-Origin-Opener-Policy (COOP)

    Isolates your browsing context from cross-origin popups or tabs to prevent side-channel attacks.

    The Cross-Origin-Opener-Policy header can be configured with:

    • same-origin: Ensures that the opened window does not retain access to window.opener, blocking cross-origin interference.

    Improves security for applications dealing with sensitive data or embedded login flows.

    Clear-Site-Data

    Instructs the browser to clear local storage, cookies, cache, and other site data when triggered (e.g., on logout).

    The Clear-Site-Data header can be configured with:

    • "cookies": Deletes all cookies for the origin.

    • "storage": Clears localStorage, sessionStorage, IndexedDB, and service workers.

    • "cache": Clears HTTP cache.

    • "*": Clears all of the above.

    Improves session cleanup and prevents residual data exposure on shared devices.

    These headers complement existing support for X-Frame-Options and X-XSS-Protection, providing broader and more modern protections aligned with browser security best practices.

    For more information, see HTTP Security Headers.

    Previous
    Next