Client Side Security

The Client Side Security module under Web Protection provides a centralized interface for configuring and managing protections against client-side threats. As modern web applications increasingly rely on JavaScript, APIs, and third-party integrations, the browser environment has become a major attack surface. Client-side attacks exploit the rendering environment of web pages to steal data, inject malicious code, and manipulate user behavior—often without affecting the server itself.

This module consolidates and enhances capabilities to detect, prevent, and mitigate browser-based threats by combining new features with functionality previously distributed across other protection modules. It addresses the OWASP Top 10 Client-Side Security Risks through a layered defense strategy.

For detailed use cases and examples of how Client Side Security features are applied to real-world threats, see WAF Solutions against OWASP Top 10 Client-Side Security Risks.

Importance of Client Side Security

Client-side risks differ from server-side vulnerabilities in that they target the user's browser directly. These risks include DOM-based cross-site scripting (XSS), unauthorized access to JavaScript variables, data exfiltration through third-party scripts, and malicious manipulation of forms and inputs. Mitigating client-side threats requires controlling browser behavior and monitoring runtime script activity.

OWASP defines ten categories of client-side security risks, many of which are difficult to detect or block without specialized controls. The Client Side Security module mitigates these risks through a combination of HTTP header enforcement, runtime resource integrity checks, input encryption, and third-party script monitoring.

Components and Configuration Modules

The Client Side Security module consists of the following configuration components, accessible under Web Protection > Client Side Security:

• Client-Side Protection: Provides visibility into external scripts and services. Enables policy-based control over whether specific third-party resources are allowed or blocked.

• HTTP Security Headers: Inserts browser-enforced security headers into HTTP responses to control browser behavior and reduce client-side risk.

• Cross-Origin Resource Sharing (CORS) protection: Defines trusted origins, methods, and headers allowed in cross-origin requests.

• Subresource Integrity (SRI) Check: Defines expected cryptographic hashes for external scripts and stylesheets. Ensures that only unaltered resources are executed by the browser.

• Man in the Browser (MitB) Protection: Encrypts sensitive form fields and protects against keylogging and field manipulation.

• Cookie Security: Applies policy-based controls to enforce secure cookie attributes and integrity checks.

Each module can be configured independently and applied through a web protection profile. These profiles are then referenced by server policies to enforce the configured protections.

Layered Defense Strategy

The Client Side Security module organizes protection mechanisms into three key stages:

Stage 1: Prevent Attacks Before They Happen

• HTTP Header Security: Enforces browser behavior by inserting security headers such as CSP, CORP, COEP, and Referrer-Policy. These headers control script execution, restrict cross-origin access, and limit data leakage through browser features.

• CORS Protection: Enforces server-side origin validation for incoming cross-origin requests.

• Client-Side Protection: Prevents known threats at the WAF level using request and response inspection.

OWASP Risks Addressed:

DOM-based XSS, sensitive data leakage, outdated components, third-party origin control, lack of browser security controls, proprietary client-side data exposure.

Stage 2: Detect Tampering at Runtime

• Subresource Integrity Check: Validates that external JavaScript and CSS files match expected cryptographic hashes before execution. Protects against compromised CDNs and unauthorized library changes.

• Client-Side Protection: Secures data exchanges using headers like HTTP Strict Transport Security (HSTS), Content-Security-Policy, and SRI.

OWASP Risks Addressed:

Vulnerable and outdated components, JavaScript drift, lack of third-party origin control.

Stage 3: Mitigate After the Browser Is Compromised

• Cookie Security: Automatically enforces security attributes like HttpOnly, Secure, and SameSite, and signs cookies to prevent tampering.

• MitB Protection: Encrypts form inputs, obfuscates field names, and includes anti-keylogging mechanisms to secure sensitive data in compromised browsers.

• CORS Protection: Inspects and enforces origin and method constraints for cross-origin traffic.

• Client-Side Protection: Provides runtime monitoring and enforcement against threats that materialize post-delivery.

OWASP Risks Addressed:

Broken client-side access control, sensitive data stored client-side, monitoring failures, proprietary information leakage.

Real-Time Visibility and Control

Client-Side Protection provides a comprehensive overview of third-party services executing in the browser. It identifies external domains, categorizes resource types, flags risk levels, and logs usage frequency. Administrators can approve, block, or annotate services, with FortiWeb generating an optimized CSP header for enforcement.

Unified Enforcement Model

All features under Client-Side Security are fully integrated with FortiWeb protection profiles. Administrators can configure each policy individually and apply them as part of a broader security strategy through server policies—across inline, reverse proxy, or WCCP deployment modes.

This modular, layered approach to browser-side security gives organizations complete control over the client surface, helping to safeguard modern web applications against advanced client-side threat vectors.