Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.3 Administration Guide
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    HTTP/HTTPS protocol constraints

    HTTP/HTTPS protocol constraints

    Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

    Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

    You can also set HTTP protocol constraint exception rules. HTTP protocol constraint exceptions specify certain protocol constraints from specific hosts that will not be subject to response actions defined in a protocol constraint profile. For details, see Configuring HTTP protocol constraint exceptions.

    Default HTTP protocol constraint values reflect the buffer size of your FortiWeb model’s HTTP parser. Use protocol constraints to block requests that are too large for the memory size of FortiWeb’s scan buffers.

    Failure to block items that are too large to be buffered could compromise your network’s security, and allow requests without scanning or rewriting. For details, see Buffer hardening.

    For example, if your web applications require HTTP POST requests with unusually large parameters, you would adjust the HTTP body buffer size. For details, see HTTP-cachesize in the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Next, you would configure Malformed Request and other HTTP protocol constraints to harden your configuration.

    This scan is bypassed if the client’s source IP is a known search engine and you have configured Known Search Engines in Configuring known bots.
    To configure an HTTP protocol constraint profile

    To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions for items in the Web Protection Configuration category. For details, see Permissions.

    tooltip icon

    If you plan to add constraint exceptions to your HTTP protocol constraints, configure the exceptions first. For details, see Configuring HTTP protocol constraint exceptions.

    If you want to use a trigger when the rule is violated, configure that also. For details, see Viewing log messages.
    1. Go to Web Protection > Protocol and select the HTTP Protocol Constraints tab.
    2. Click Create New.
    3. To enable protocol constraints that you want the profile to monitor, toggle them in the Status column. For a brief description of a protocol constraint, click its name. Configure these settings:
      Content Length
      Content Length

      Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

      Attack log messages contain Content Length Exceeded when this feature detects a content length buffer overflow attempt.

      Tip: RPC requests’ content length often do not match their own Content-Length: header. Attackers may also intentionally craft mismatching Content-Length: headers in an attempt to cloak buffer overflows. For those cases, use other limits instead or in addition, such as Body Length and Limiting file uploads.

      Illegal Content LengthEnable to check whether the Content-Length: header includes numeric characters only.

      Present with Transfer Encoding

      Enable to check if content-length and transfer-encoding coexist.

      Inconsistent with Body length

      Enable to check whether the response has redundant body than the content-length specified.

      HTTP Header
      Header Length

      Specifies the maximum acceptable size in bytes of all HTTP header lines.

      Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

      Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).

      Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.

      Illegal Character in Header NameEnable to check whether the HTTP header name contains illegal characters such as \r, \n, <, >.
      Illegal Character in Header ValueEnable to check whether the HTTP header value contains illegal characters such as \r, \n, <, >.
      Redundant HTTP Headers

      Enable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type(for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) herder fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.

      HTTP Parameter
      Total URL Parameters Length

      Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as:

      /url?parameter1=value1&parameter2=value2

      The count does not include:

      • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
      • Parameters in the HTTP body, which can occur with HTTP POST requests. For these parameters, configure Total Body Parameters Length or Body Length instead.

      Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

      Total Body Parameters Length

      Specifies the total maximum acceptable size in bytes of all the parameters in the HTTP body of HTTP POST requests.

      Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

      Attack log messages contain Total Body Parameters Length Exceeded when this feature detects a total parameter size buffer overflow attempt.

      Number of URL Parameters

      Specifies the maximum number of parameters in the URL. The maximum number is 1024.

      It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

      NULL Character in Parameter NameEnable to check for null characters in parameter names.
      NULL Character in Parameter ValueEnable to check for null characters in parameter values.
      Maximum URL Parameter Name Length

      Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

      Maximum URL Parameter Value Length

      Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

      Illegal Character in Parameter Name

      Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Illegal Character in Parameter Value

      Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Duplicate Parameter Name

      Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

      • There are duplicate parameter names in the header
      • There are duplicate parameter names in the body
      • A parameter name in the header is also in the body
      HTTP Request
      Illegal HTTP Request Method

      Enable to check for invalid HTTP request methods according to RFC 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) or RFC 4918 (http://www.webdav.org/specs/rfc4918.html). Any method not defined in these RFCs—including misspellings like GETT as well as other HTTP extension methods (e.g. CalDAV) like MKCALENDAR—are considered invalid.

      Attack log messages contain Illegal HTTP Method when this feature detects an invalid HTTP request method.

      HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.
      HTTP Request Length

      Specifies the maximum acceptable length in bytes of the entire HTTP request, including both headers and body.

      Attack log messages contain HTTP Request Length Exceeded when this feature detects an excessively large HTTP request.

      Number of Header Lines in Request

      Specifies the maximum acceptable number of lines in the HTTP header.

      Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

      Missing Content TypeEnable to check whether the Content-Type: header is available.

      Missing Host

      Enable to check if the Host header is missing.

      For HTTP/2, Missing Host violation appears only when both the Authority and Host headers do not exist.

      Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might be embed NULL characters in URL to evade detections.
      Illegal Character in URL

      Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

      		Odd and Even Space AttackEnable to allow FortiWeb to detect Odd and Even Space Attacks.
      Malformed URL

      Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

      HTTP/2

      		Header Compression Table Size

      Specifies the maximum acceptable size in bytes of the header compression table used to decode header blocks. Enable to check whether value of parameter SETTINGS_HEADER_TABLE_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      This field applies to HTTP/2 only.

      		Number of Concurrent Streams

      Specifies the maximum acceptable number of concurrent streams that the sender will allow the receiver to create. Enable to check whether value of parameter SETTINGS_MAX_CONCURRENT_STREAMS in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      		Initial Window Size

      Specifies the maximum acceptable sender's initial window size in bytes for stream-level flow control. Enable to check whether value of parameter SETTINGS_INITIAL_WINDOW_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      		Frame Size

      Specifies the maximum acceptable size in bytes of the frame payload that the sender is willing to receive. Enable to check whether value of parameter SETTINGS_MAX_FRAME_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      		Header List Size

      Specifies the maximum acceptable size in bytes of the header list that the sender is prepared to accept. Enable to check whether value of parameter SETTINGS_MAX_HEADER_LIST_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      HTTP/2 Max Requests

      Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

      The default number is 1000, and the valid range is 0-65535.

      HTTP/2 RST Stream

      Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      The default number is 50, and the valid range is 1-65535.

      HTTP/2 RST Stream Frequency

      Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

      The default number is 5, and the valid range is 1-65535.

      HTTP/3

      Max Table Capacity

      Enable to specify the max_table_capacity value in the request SETTINGS frame, which defines the maximum size of the dynamic header table used for QPACK compression. Increasing this allows more header fields to be compressed and reused, improving efficiency for header-heavy requests, but may increase memory usage.

      The default value is 65535, and the valid range is 4096–1048576.

      Max Field Section Size

      Enable to specify the max_field_section_size value in the request SETTINGS frame, which sets the maximum allowed size (in bytes) of the compressed header block. This limits large header sets that could consume excessive resources or be used in DoS attacks.

      The default value is 131070, and the valid range is 4096–1048576.

      Blocked Streams

      Enable to specify the blocked_streams value in the request SETTINGS frame, which determines how many streams can be blocked while waiting for QPACK dynamic table updates. Higher values allow more concurrent blocked streams but may increase memory usage and latency under certain workloads.

      The default value is 50, and the valid range is 1–200.

      Bidirectional Concurrent Streams

      Enable to specify the maximum number of bidirectional streams that can be open in an HTTP/3 connection. Bidirectional streams allow both request and response data on the same stream. Lowering the limit can reduce resource consumption; increasing it can improve throughput for multi-request workloads.

      The default value is 100, and the valid range is 2–400.

      Unidirectional Concurrent Streams

      Enable to specify the maximum number of unidirectional streams that can be open in an HTTP/3 connection. Unidirectional streams are typically used for control data such as QPACK encoder/decoder streams. Adjusting this can optimize performance for applications with high control-stream usage.

      The default value is 100, and the valid range is 2–400.

      Others
      Illegal Content TypeEnable to check whether the Content Type: value uses the format <type>/<subtype>.
      Illegal Response CodeEnable to check whether the HTTP response code is a 3-digit number.
      Illegal Host Name

      Enable to check for illegal characters in the Host: line of the HTTP header, such as null characters or encoded characters.

      For example, 0x0 or %00* are illegal.

      Attack log messages contain Illegal Host Name when this feature detects an invalid host name.

      Illegal HTTP Version

      Enable to check for invalid HTTP version numbers. Currently, the only valid version strings are HTTP/0.9, HTTP/1.0 or HTTP/1.1.

      Attack log messages contain Illegal HTTP Version when this feature detects an invalid HTTP version number.

      Body Length

      Specifies the maximum acceptable size in bytes of the HTTP body.

      For requests that use the HTTP POST method, this typically includes parameters submitted by HTML form inputs. In the case of file uploads, this can normally be many megabytes. For most simple forms, however, the body should be only a few kilobytes in size at maximum.

      Attack log messages contain Body Length Exceeded when this feature detects a body size buffer overflow attempt.

      Number of Cookies In Request

      Specifies the maximum acceptable number of cookies in an HTTP request.

      Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

      Number of Ranges in Range Header

      Specifies the maximum acceptable number of Range: lines in each HTTP header. The default value is 5.

      Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

      Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. The default value is appropriate for un-patched versions of Apache 2.0 and Apache 2.1.

      Malformed Request

      Enable to inspect the request for:

      • Syntax errors
      • Exceeding the maximum buffer size allowed by FortiWeb’s HTTP parser

      Errors and buffer overflows can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities.

      Attack log messages contain Too Many Parameters or Too Many Flash Parameters or another message that indicates the specific cause when this feature detects a request with parser errors or a FortiWeb buffer overflow attempt.

      Caution: Fortinet strongly recommends to enable this option unless large requests/parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. It also cannot perform rewrites. Unless you configure it to block, FortiWeb allows oversized requests to pass through without scanning or rewriting. This could allow padded attacks to pass through, and rewriting to be skipped.

      If feasible, instead of disabling this option:

      RPC Protocol

      Enable to detect traffic that uses the PRC protocol.

      WebSocket Protocol

      Enable to detect traffic that uses the WebSocket TCP-based protocol.

      Because FortiWeb acts as a pure socket proxy for WebSocket traffic, it cannot apply security features to it.

      Illegal Chunk Size

      Enable to check whether the value of Chunk Size field is a hexadecimal value. A violation will be detected if the value is presented in other numeral systems.

      Range Overlapping

      Enable to detect RangeAmp Overlapping Byte Ranges(OBR) attacks. For more information on this attack, refer to https://www.linuxadictos.com/en/rangeamp-a-series-of-cdn-attacks-that-manipulate-the-range-http-header.html.

      Multipart/form-data Bad Request

      Enable to detect whether the multipart request chunk contains the strings "Content-Disposition" and "Name". If it does not, the system will consider it a violation.

    4. To edit a protocol constraint, right-click it and select Edit. Complete the configuration according to the table below:
      5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Exception Name

      Select the HTTP constraints exception, if any, that you want to apply to this policy. For details, see Configuring HTTP protocol constraint exceptions.

      If you want to view or change the exception configuration, click Detail.
      Status Specify whether the rule applies when you apply this constraint to a profile.
      Length For rules that specify maximums, enter a maximum value.
      Action

      Select the action the FortiWeb appliance takes when it detects a violation of the rule:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

        Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

      The default value is Alert.

      Caution: This setting is ignored when Monitor Mode is enabled.

      Note: Logging and/or alert email occur only if you enable and configure it. For details, see Logging and Alert email.
      Block Period

      Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

      This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour). See also Blocked IPs.
      Severity

      When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level to use when FortiWeb logs a violation of the rule:

      • Informative
      • Low
      • Medium
      • High
      Threat Weight

      If Client Management is enabled in a web protection profile, it is possible to adjust the threat weight of each constraint. For details, see Client management.

      Trigger Action Select which trigger, if any, to use when FortiWeb logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
      HTTP Protocol Support

      HTTP/1.X Only indicates the constraint is effective against HTTP/1.x traffic only.

      HTTP/2 Only indicates the constraint is effective against HTTP/2 traffic only.

      This field will be blank if the constraint is effective against both HTTP/1.x and HTTP/2 traffic.
    5. To save the profile configuration, click OK.
    6. To apply the HTTP protocol constraint profile, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    See also

    Configuring HTTP protocol constraint exceptions

    You can configure exceptions for HTTP protocol constraints.

    HTTP protocol constraint exceptions specify certain protocol constraints from specific hosts that will not be subject to response actions defined in a protocol constraint profile. Exception rules are useful when you know that some HTTP protocol constraints will cause false positives by matching an attack signature during normal use.

    For example, if you enable an exception for the Header Length protocol constraint in an exception rule for a specific host, FortiWeb will skip the HTTP header length check when executing the web protection profile for that host.

    As another example, some web applications require very large HTTP POST requests. You can use Host Status to create an exception for the protocol constraint for those requests.

    FortiWeb matches exception rules by URL. If a URL hits a rule, FortiWeb will process the URL by the specified rule. The same URL will not be processed again even if it can hit other rules.

    For example, there is a rule with Duplicated Parameter Name enabled for URL path "/example/*", and another rule ranking lower in the table with Malformed Request enabled for "/example/abc", then FortiWeb will execute Duplicated Parameter Name rule and skip the Malformed Request rule. Because "/example/abc" is included in "/example/*", it is processed when FortiWeb executes the Duplicated Parameter Name rule.
    To configure an HTTP constraint exception

    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    1. Go to Web Protection > Protocol and select the HTTP Constraints Exceptions tab.
    2. Click Create New.
    3. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    4. Click OK.
    5. Click Create New to add an entry to the set.
    6. Configure the exception rule according to the table below:
      7. Host Status

      Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host.

      Disable to apply the exceptions to all web hosts.
      Host

      Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.

      This setting is available only if Host Status is enabled.
      Source IP Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
      IPv4/IPv6/IP Range

      Specify the source IP of the protected requests to which this exception applies. Only a single IPv4 or IPv6 address, or a IPv4/IPv6 range is acceptable.

      This setting is available only if Host Status is enabled.
      Request Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
      URL Pattern

      Depending on your selection in the Request Type field, enter either:

      • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
      • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.

      Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Note: For Malformed Request attacks, please select Regular Expression and fill URL Pattern with /*.
    7. Select the protocol constraint(s) that you want to add to the exception rule according to the table below:
      Content Length
      Content LengthEnable to omit the constraint on the maximum acceptable size in bytes of the request body.
      Illegal Content LengthEnable to omit the constraint on whether the Content-Length: header includes numeric characters only.

      Present with Transfer Encoding

      Enable to omit the constraint on whether a request contains both a Content-Length header and a Transfer-Encoding header, which is not allowed by HTTP/1.1

      Inconsistent with Body Length

      Enable to omit the constraint on whether the value in the Content-Length header matches the actual size of the request body, which could indicate malformed or manipulated requests.

      HTTP Header
      Header LengthEnable to omit the constraint on the maximum acceptable size in bytes of the HTTP header.
      Header Name LengthEnable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header name.
      Header Value LengthEnable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header value.
      Illegal Character in Header NameEnable to omit the constraint on whether the HTTP header name contains illegal characters.
      Illegal Character in Header ValueEnable to omit the constraint on whether the HTTP header value contains illegal characters.
      Redundant HTTP Headers

      Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields.

      HTTP Parameter
      Total URL Parameter LengthEnable to omit the constraint on the maximum acceptable size of an URL parameter (including the name and value).
      Total Body Parameters LengthEnable to omit the constraint on the maximum acceptable size in bytes of all parameters in the HTTP body of HTTP POST requests.
      Number of URL ParametersEnable to omit the constraint on the maximum number of parameters in the URL.
      NULL Character in Parameter NameEnable to omit the constraint on null characters in parameter names.
      NULL Character in Parameter ValueEnable to omit the constraint on null characters in parameter values.
      Maximum URL Parameter Name LengthEnable to omit the constraint on the maximum acceptable length in bytes of the parameter name.
      Maximum URL Parameter Value LengthEnable to omit the constraint on the maximum acceptable length in bytes of the parameter value.
      Illegal Character in Parameter NameEnable to omit the constraint on illegal characters in the parameter name.
      Illegal Character in Parameter ValueEnable to omit the constraint on illegal characters in the parameter value.
      Duplicated Parameter NameEnable to omit the constraint on duplicate parameter names.
      HTTP Request
      Illegal HTTP Request MethodEnable to omit the constraint on to check for invalid HTTP version numbers.
      HTTP Request Filename LengthEnable to omit the constraint on the maximum acceptable length in bytes of the HTTP request filename.
      HTTP Request LengthEnable to omit the constraint on the maximum acceptable length in bytes of the HTTP request.
      Number of Header Lines In RequestEnable to omit the constraint on the maximum acceptable number of lines in the HTTP header.
      Missing Content TypeEnable to omit the constraint on whether the Content-Type: header is available.

      Missing Host

      Enable to omit the constraint on whether the Host header is present in the request. This header is mandatory in HTTP/1.1 and later for proper virtual host routing.

      		NULL Character in URLEnable to omit the constraint on null characters in URL.

      		Illegal Character in URLEnable to omit the constraint on illegal characters in URL.

      		Odd and Even Space AttackEnable to omit the constraint on detecting Odd and Even Space Attack.

      HTTP/2

      HTTP/2 Max Requests

      Enable to omit the constraint on the maximum acceptable number of requests in an HTTP/2 connection.

      HTTP/2 RST Stream

      Enable to omit the constraint on the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      HTTP/2 RST Stream Frequency

      Enable to omit the constraint on the maximum occurrences of the HTTP/2 RST Stream occurs per second.

      HTTP/3

      Bidirectional Concurrent Streams

      Enable to omit the constraint on the maximum acceptable number of bidirectional concurrent streams in an HTTP/3 connection. Use when clients legitimately open many concurrent request/response streams; this may increase per‑connection resource usage.

      Unidirectional Concurrent Streams

      Enable to omit the constraint on the maximum acceptable number of unidirectional concurrent streams in an HTTP/3 connection. Use when control or ancillary streams are opened in high numbers; this may increase per‑connection resource usage.

      Others
      Illegal Content TypeEnable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>.
      Illegal Host NameEnable to omit the constraint on invalid characters in the Host: line of the HTTP header, such as null characters or encoded characters.
      Body LengthEnable to omit the constraint on the maximum acceptable size in bytes of the HTTP body.
      Number of Cookies In RequestEnable to omit the constraint on the maximum acceptable number of cookies in an HTTP request.
      Number of Ranges in Range Header

      Enable to omit the constraint on the maximum acceptable number of Range: lines in an HTTP header.

      Note: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. If your web servers do not run Apache and are not vulnerable to this attack, mark this check box to omit it from the scan and improve performance.

      Malformed Request

      Enable to omit the constraint on syntax and FortiWeb parsing errors.

      Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.

      RPC Protocol

      Enable to omit detecting traffic that uses the PRC protocol.

      		WebSocket ProtocolEnable to omit detecting traffic that uses the WebSocket TCP-based protocol.

      Range Overlapping

      Enable to omit the constraint on whether multiple Range header values overlap. Overlapping ranges can be used in certain DoS attacks to exhaust server processing resources.

      Multipart/form-data Bad Request

      Enable to omit the constraint on whether a multipart/form-data request is malformed, such as having incorrect boundary markers, invalid part headers, or mismatched content lengths.

    8. Click OK.
    9. Repeat the previous steps for each exception rule you want to add to the exception.
    10. Select the HTTP protocol constraint exception(s) in an HTTP protocol constraint profile. For details, see To configure an HTTP protocol constraint profile.
    See also
    Previous
    Next

    HTTP/HTTPS protocol constraints

    HTTP/HTTPS protocol constraints

    Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

    Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

    You can also set HTTP protocol constraint exception rules. HTTP protocol constraint exceptions specify certain protocol constraints from specific hosts that will not be subject to response actions defined in a protocol constraint profile. For details, see Configuring HTTP protocol constraint exceptions.

    Default HTTP protocol constraint values reflect the buffer size of your FortiWeb model’s HTTP parser. Use protocol constraints to block requests that are too large for the memory size of FortiWeb’s scan buffers.

    Failure to block items that are too large to be buffered could compromise your network’s security, and allow requests without scanning or rewriting. For details, see Buffer hardening.

    For example, if your web applications require HTTP POST requests with unusually large parameters, you would adjust the HTTP body buffer size. For details, see HTTP-cachesize in the FortiWeb CLI Reference:

    https://docs.fortinet.com/product/fortiweb/

    Next, you would configure Malformed Request and other HTTP protocol constraints to harden your configuration.

    This scan is bypassed if the client’s source IP is a known search engine and you have configured Known Search Engines in Configuring known bots.
    To configure an HTTP protocol constraint profile

    To access this part of the web UI, your administrator’s account access profile must have Read and Write permissions for items in the Web Protection Configuration category. For details, see Permissions.

    tooltip icon

    If you plan to add constraint exceptions to your HTTP protocol constraints, configure the exceptions first. For details, see Configuring HTTP protocol constraint exceptions.

    If you want to use a trigger when the rule is violated, configure that also. For details, see Viewing log messages.
    1. Go to Web Protection > Protocol and select the HTTP Protocol Constraints tab.
    2. Click Create New.
    3. To enable protocol constraints that you want the profile to monitor, toggle them in the Status column. For a brief description of a protocol constraint, click its name. Configure these settings:
      Content Length
      Content Length

      Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

      Attack log messages contain Content Length Exceeded when this feature detects a content length buffer overflow attempt.

      Tip: RPC requests’ content length often do not match their own Content-Length: header. Attackers may also intentionally craft mismatching Content-Length: headers in an attempt to cloak buffer overflows. For those cases, use other limits instead or in addition, such as Body Length and Limiting file uploads.

      Illegal Content LengthEnable to check whether the Content-Length: header includes numeric characters only.

      Present with Transfer Encoding

      Enable to check if content-length and transfer-encoding coexist.

      Inconsistent with Body length

      Enable to check whether the response has redundant body than the content-length specified.

      HTTP Header
      Header Length

      Specifies the maximum acceptable size in bytes of all HTTP header lines.

      Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

      Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).

      Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.

      Illegal Character in Header NameEnable to check whether the HTTP header name contains illegal characters such as \r, \n, <, >.
      Illegal Character in Header ValueEnable to check whether the HTTP header value contains illegal characters such as \r, \n, <, >.
      Redundant HTTP Headers

      Enable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type(for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) herder fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.

      HTTP Parameter
      Total URL Parameters Length

      Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as:

      /url?parameter1=value1&parameter2=value2

      The count does not include:

      • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
      • Parameters in the HTTP body, which can occur with HTTP POST requests. For these parameters, configure Total Body Parameters Length or Body Length instead.

      Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

      Total Body Parameters Length

      Specifies the total maximum acceptable size in bytes of all the parameters in the HTTP body of HTTP POST requests.

      Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

      Attack log messages contain Total Body Parameters Length Exceeded when this feature detects a total parameter size buffer overflow attempt.

      Number of URL Parameters

      Specifies the maximum number of parameters in the URL. The maximum number is 1024.

      It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

      NULL Character in Parameter NameEnable to check for null characters in parameter names.
      NULL Character in Parameter ValueEnable to check for null characters in parameter values.
      Maximum URL Parameter Name Length

      Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

      Maximum URL Parameter Value Length

      Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

      Illegal Character in Parameter Name

      Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Illegal Character in Parameter Value

      Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Duplicate Parameter Name

      Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

      • There are duplicate parameter names in the header
      • There are duplicate parameter names in the body
      • A parameter name in the header is also in the body
      HTTP Request
      Illegal HTTP Request Method

      Enable to check for invalid HTTP request methods according to RFC 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) or RFC 4918 (http://www.webdav.org/specs/rfc4918.html). Any method not defined in these RFCs—including misspellings like GETT as well as other HTTP extension methods (e.g. CalDAV) like MKCALENDAR—are considered invalid.

      Attack log messages contain Illegal HTTP Method when this feature detects an invalid HTTP request method.

      HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.
      HTTP Request Length

      Specifies the maximum acceptable length in bytes of the entire HTTP request, including both headers and body.

      Attack log messages contain HTTP Request Length Exceeded when this feature detects an excessively large HTTP request.

      Number of Header Lines in Request

      Specifies the maximum acceptable number of lines in the HTTP header.

      Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

      Missing Content TypeEnable to check whether the Content-Type: header is available.

      Missing Host

      Enable to check if the Host header is missing.

      For HTTP/2, Missing Host violation appears only when both the Authority and Host headers do not exist.

      Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might be embed NULL characters in URL to evade detections.
      Illegal Character in URL

      Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

      		Odd and Even Space AttackEnable to allow FortiWeb to detect Odd and Even Space Attacks.
      Malformed URL

      Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

      HTTP/2

      		Header Compression Table Size

      Specifies the maximum acceptable size in bytes of the header compression table used to decode header blocks. Enable to check whether value of parameter SETTINGS_HEADER_TABLE_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      This field applies to HTTP/2 only.

      		Number of Concurrent Streams

      Specifies the maximum acceptable number of concurrent streams that the sender will allow the receiver to create. Enable to check whether value of parameter SETTINGS_MAX_CONCURRENT_STREAMS in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      		Initial Window Size

      Specifies the maximum acceptable sender's initial window size in bytes for stream-level flow control. Enable to check whether value of parameter SETTINGS_INITIAL_WINDOW_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      		Frame Size

      Specifies the maximum acceptable size in bytes of the frame payload that the sender is willing to receive. Enable to check whether value of parameter SETTINGS_MAX_FRAME_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      		Header List Size

      Specifies the maximum acceptable size in bytes of the header list that the sender is prepared to accept. Enable to check whether value of parameter SETTINGS_MAX_HEADER_LIST_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      HTTP/2 Max Requests

      Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

      The default number is 1000, and the valid range is 0-65535.

      HTTP/2 RST Stream

      Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      The default number is 50, and the valid range is 1-65535.

      HTTP/2 RST Stream Frequency

      Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

      The default number is 5, and the valid range is 1-65535.

      HTTP/3

      Max Table Capacity

      Enable to specify the max_table_capacity value in the request SETTINGS frame, which defines the maximum size of the dynamic header table used for QPACK compression. Increasing this allows more header fields to be compressed and reused, improving efficiency for header-heavy requests, but may increase memory usage.

      The default value is 65535, and the valid range is 4096–1048576.

      Max Field Section Size

      Enable to specify the max_field_section_size value in the request SETTINGS frame, which sets the maximum allowed size (in bytes) of the compressed header block. This limits large header sets that could consume excessive resources or be used in DoS attacks.

      The default value is 131070, and the valid range is 4096–1048576.

      Blocked Streams

      Enable to specify the blocked_streams value in the request SETTINGS frame, which determines how many streams can be blocked while waiting for QPACK dynamic table updates. Higher values allow more concurrent blocked streams but may increase memory usage and latency under certain workloads.

      The default value is 50, and the valid range is 1–200.

      Bidirectional Concurrent Streams

      Enable to specify the maximum number of bidirectional streams that can be open in an HTTP/3 connection. Bidirectional streams allow both request and response data on the same stream. Lowering the limit can reduce resource consumption; increasing it can improve throughput for multi-request workloads.

      The default value is 100, and the valid range is 2–400.

      Unidirectional Concurrent Streams

      Enable to specify the maximum number of unidirectional streams that can be open in an HTTP/3 connection. Unidirectional streams are typically used for control data such as QPACK encoder/decoder streams. Adjusting this can optimize performance for applications with high control-stream usage.

      The default value is 100, and the valid range is 2–400.

      Others
      Illegal Content TypeEnable to check whether the Content Type: value uses the format <type>/<subtype>.
      Illegal Response CodeEnable to check whether the HTTP response code is a 3-digit number.
      Illegal Host Name

      Enable to check for illegal characters in the Host: line of the HTTP header, such as null characters or encoded characters.

      For example, 0x0 or %00* are illegal.

      Attack log messages contain Illegal Host Name when this feature detects an invalid host name.

      Illegal HTTP Version

      Enable to check for invalid HTTP version numbers. Currently, the only valid version strings are HTTP/0.9, HTTP/1.0 or HTTP/1.1.

      Attack log messages contain Illegal HTTP Version when this feature detects an invalid HTTP version number.

      Body Length

      Specifies the maximum acceptable size in bytes of the HTTP body.

      For requests that use the HTTP POST method, this typically includes parameters submitted by HTML form inputs. In the case of file uploads, this can normally be many megabytes. For most simple forms, however, the body should be only a few kilobytes in size at maximum.

      Attack log messages contain Body Length Exceeded when this feature detects a body size buffer overflow attempt.

      Number of Cookies In Request

      Specifies the maximum acceptable number of cookies in an HTTP request.

      Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

      Number of Ranges in Range Header

      Specifies the maximum acceptable number of Range: lines in each HTTP header. The default value is 5.

      Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

      Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. The default value is appropriate for un-patched versions of Apache 2.0 and Apache 2.1.

      Malformed Request

      Enable to inspect the request for:

      • Syntax errors
      • Exceeding the maximum buffer size allowed by FortiWeb’s HTTP parser

      Errors and buffer overflows can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities.

      Attack log messages contain Too Many Parameters or Too Many Flash Parameters or another message that indicates the specific cause when this feature detects a request with parser errors or a FortiWeb buffer overflow attempt.

      Caution: Fortinet strongly recommends to enable this option unless large requests/parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. It also cannot perform rewrites. Unless you configure it to block, FortiWeb allows oversized requests to pass through without scanning or rewriting. This could allow padded attacks to pass through, and rewriting to be skipped.

      If feasible, instead of disabling this option:

      RPC Protocol

      Enable to detect traffic that uses the PRC protocol.

      WebSocket Protocol

      Enable to detect traffic that uses the WebSocket TCP-based protocol.

      Because FortiWeb acts as a pure socket proxy for WebSocket traffic, it cannot apply security features to it.

      Illegal Chunk Size

      Enable to check whether the value of Chunk Size field is a hexadecimal value. A violation will be detected if the value is presented in other numeral systems.

      Range Overlapping

      Enable to detect RangeAmp Overlapping Byte Ranges(OBR) attacks. For more information on this attack, refer to https://www.linuxadictos.com/en/rangeamp-a-series-of-cdn-attacks-that-manipulate-the-range-http-header.html.

      Multipart/form-data Bad Request

      Enable to detect whether the multipart request chunk contains the strings "Content-Disposition" and "Name". If it does not, the system will consider it a violation.

    4. To edit a protocol constraint, right-click it and select Edit. Complete the configuration according to the table below:
      5. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.
      Exception Name

      Select the HTTP constraints exception, if any, that you want to apply to this policy. For details, see Configuring HTTP protocol constraint exceptions.

      If you want to view or change the exception configuration, click Detail.
      Status Specify whether the rule applies when you apply this constraint to a profile.
      Length For rules that specify maximums, enter a maximum value.
      Action

      Select the action the FortiWeb appliance takes when it detects a violation of the rule:

      • Alert—Accept the connection and generate an alert email and/or log message.

      • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

      • Deny (no log)—Block the request (or reset the connection).

      • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.

        You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see Customizing error and authentication pages (replacement messages).

        Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP. Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. For details, see Defining your proxies, clients, & X-headers.

      The default value is Alert.

      Caution: This setting is ignored when Monitor Mode is enabled.

      Note: Logging and/or alert email occur only if you enable and configure it. For details, see Logging and Alert email.
      Block Period

      Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

      This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 seconds (1 hour). See also Blocked IPs.
      Severity

      When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level to use when FortiWeb logs a violation of the rule:

      • Informative
      • Low
      • Medium
      • High
      Threat Weight

      If Client Management is enabled in a web protection profile, it is possible to adjust the threat weight of each constraint. For details, see Client management.

      Trigger Action Select which trigger, if any, to use when FortiWeb logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
      HTTP Protocol Support

      HTTP/1.X Only indicates the constraint is effective against HTTP/1.x traffic only.

      HTTP/2 Only indicates the constraint is effective against HTTP/2 traffic only.

      This field will be blank if the constraint is effective against both HTTP/1.x and HTTP/2 traffic.
    5. To save the profile configuration, click OK.
    6. To apply the HTTP protocol constraint profile, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
    See also

    Configuring HTTP protocol constraint exceptions

    You can configure exceptions for HTTP protocol constraints.

    HTTP protocol constraint exceptions specify certain protocol constraints from specific hosts that will not be subject to response actions defined in a protocol constraint profile. Exception rules are useful when you know that some HTTP protocol constraints will cause false positives by matching an attack signature during normal use.

    For example, if you enable an exception for the Header Length protocol constraint in an exception rule for a specific host, FortiWeb will skip the HTTP header length check when executing the web protection profile for that host.

    As another example, some web applications require very large HTTP POST requests. You can use Host Status to create an exception for the protocol constraint for those requests.

    FortiWeb matches exception rules by URL. If a URL hits a rule, FortiWeb will process the URL by the specified rule. The same URL will not be processed again even if it can hit other rules.

    For example, there is a rule with Duplicated Parameter Name enabled for URL path "/example/*", and another rule ranking lower in the table with Malformed Request enabled for "/example/abc", then FortiWeb will execute Duplicated Parameter Name rule and skip the Malformed Request rule. Because "/example/abc" is included in "/example/*", it is processed when FortiWeb executes the Duplicated Parameter Name rule.
    To configure an HTTP constraint exception

    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    1. Go to Web Protection > Protocol and select the HTTP Constraints Exceptions tab.
    2. Click Create New.
    3. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    4. Click OK.
    5. Click Create New to add an entry to the set.
    6. Configure the exception rule according to the table below:
      7. Host Status

      Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host.

      Disable to apply the exceptions to all web hosts.
      Host

      Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies.

      This setting is available only if Host Status is enabled.
      Source IP Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
      IPv4/IPv6/IP Range

      Specify the source IP of the protected requests to which this exception applies. Only a single IPv4 or IPv6 address, or a IPv4/IPv6 range is acceptable.

      This setting is available only if Host Status is enabled.
      Request Type Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
      URL Pattern

      Depending on your selection in the Request Type field, enter either:

      • the literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).
      • a regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.

      Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

      To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

      Note: For Malformed Request attacks, please select Regular Expression and fill URL Pattern with /*.
    7. Select the protocol constraint(s) that you want to add to the exception rule according to the table below:
      Content Length
      Content LengthEnable to omit the constraint on the maximum acceptable size in bytes of the request body.
      Illegal Content LengthEnable to omit the constraint on whether the Content-Length: header includes numeric characters only.

      Present with Transfer Encoding

      Enable to omit the constraint on whether a request contains both a Content-Length header and a Transfer-Encoding header, which is not allowed by HTTP/1.1

      Inconsistent with Body Length

      Enable to omit the constraint on whether the value in the Content-Length header matches the actual size of the request body, which could indicate malformed or manipulated requests.

      HTTP Header
      Header LengthEnable to omit the constraint on the maximum acceptable size in bytes of the HTTP header.
      Header Name LengthEnable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header name.
      Header Value LengthEnable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header value.
      Illegal Character in Header NameEnable to omit the constraint on whether the HTTP header name contains illegal characters.
      Illegal Character in Header ValueEnable to omit the constraint on whether the HTTP header value contains illegal characters.
      Redundant HTTP Headers

      Enable to omit the constraint on the redundant instances of Content-Length, Content-Type and Host herder fields.

      HTTP Parameter
      Total URL Parameter LengthEnable to omit the constraint on the maximum acceptable size of an URL parameter (including the name and value).
      Total Body Parameters LengthEnable to omit the constraint on the maximum acceptable size in bytes of all parameters in the HTTP body of HTTP POST requests.
      Number of URL ParametersEnable to omit the constraint on the maximum number of parameters in the URL.
      NULL Character in Parameter NameEnable to omit the constraint on null characters in parameter names.
      NULL Character in Parameter ValueEnable to omit the constraint on null characters in parameter values.
      Maximum URL Parameter Name LengthEnable to omit the constraint on the maximum acceptable length in bytes of the parameter name.
      Maximum URL Parameter Value LengthEnable to omit the constraint on the maximum acceptable length in bytes of the parameter value.
      Illegal Character in Parameter NameEnable to omit the constraint on illegal characters in the parameter name.
      Illegal Character in Parameter ValueEnable to omit the constraint on illegal characters in the parameter value.
      Duplicated Parameter NameEnable to omit the constraint on duplicate parameter names.
      HTTP Request
      Illegal HTTP Request MethodEnable to omit the constraint on to check for invalid HTTP version numbers.
      HTTP Request Filename LengthEnable to omit the constraint on the maximum acceptable length in bytes of the HTTP request filename.
      HTTP Request LengthEnable to omit the constraint on the maximum acceptable length in bytes of the HTTP request.
      Number of Header Lines In RequestEnable to omit the constraint on the maximum acceptable number of lines in the HTTP header.
      Missing Content TypeEnable to omit the constraint on whether the Content-Type: header is available.

      Missing Host

      Enable to omit the constraint on whether the Host header is present in the request. This header is mandatory in HTTP/1.1 and later for proper virtual host routing.

      		NULL Character in URLEnable to omit the constraint on null characters in URL.

      		Illegal Character in URLEnable to omit the constraint on illegal characters in URL.

      		Odd and Even Space AttackEnable to omit the constraint on detecting Odd and Even Space Attack.

      HTTP/2

      HTTP/2 Max Requests

      Enable to omit the constraint on the maximum acceptable number of requests in an HTTP/2 connection.

      HTTP/2 RST Stream

      Enable to omit the constraint on the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      HTTP/2 RST Stream Frequency

      Enable to omit the constraint on the maximum occurrences of the HTTP/2 RST Stream occurs per second.

      HTTP/3

      Bidirectional Concurrent Streams

      Enable to omit the constraint on the maximum acceptable number of bidirectional concurrent streams in an HTTP/3 connection. Use when clients legitimately open many concurrent request/response streams; this may increase per‑connection resource usage.

      Unidirectional Concurrent Streams

      Enable to omit the constraint on the maximum acceptable number of unidirectional concurrent streams in an HTTP/3 connection. Use when control or ancillary streams are opened in high numbers; this may increase per‑connection resource usage.

      Others
      Illegal Content TypeEnable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>.
      Illegal Host NameEnable to omit the constraint on invalid characters in the Host: line of the HTTP header, such as null characters or encoded characters.
      Body LengthEnable to omit the constraint on the maximum acceptable size in bytes of the HTTP body.
      Number of Cookies In RequestEnable to omit the constraint on the maximum acceptable number of cookies in an HTTP request.
      Number of Ranges in Range Header

      Enable to omit the constraint on the maximum acceptable number of Range: lines in an HTTP header.

      Note: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many Range: headers. If your web servers do not run Apache and are not vulnerable to this attack, mark this check box to omit it from the scan and improve performance.

      Malformed Request

      Enable to omit the constraint on syntax and FortiWeb parsing errors.

      Caution: Some web applications require abnormal or very large HTTP POST requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.

      RPC Protocol

      Enable to omit detecting traffic that uses the PRC protocol.

      		WebSocket ProtocolEnable to omit detecting traffic that uses the WebSocket TCP-based protocol.

      Range Overlapping

      Enable to omit the constraint on whether multiple Range header values overlap. Overlapping ranges can be used in certain DoS attacks to exhaust server processing resources.

      Multipart/form-data Bad Request

      Enable to omit the constraint on whether a multipart/form-data request is malformed, such as having incorrect boundary markers, invalid part headers, or mismatched content lengths.

    8. Click OK.
    9. Repeat the previous steps for each exception rule you want to add to the exception.
    10. Select the HTTP protocol constraint exception(s) in an HTTP protocol constraint profile. For details, see To configure an HTTP protocol constraint profile.
    See also
    Previous
    Next