Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.3 CLI Reference
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf subresource-integrity-rule

    waf subresource-integrity-rule

    Use this command to configure a Subresource Integrity (SRI) Rule for use in a Subresource Integrity Policy.

    A Subresource Integrity (SRI) Rule defines a single external resource that should be validated by the browser before execution. The rule specifies the resource’s expected cryptographic hash and how cross-origin credentials should be handled during the load process. This is useful for JavaScript files, stylesheets, and other assets hosted on third-party CDNs or untrusted sources.

    FortiWeb uses this rule to inject integrity and cross-origin attributes into the corresponding <script>, <link>, or other resource tags in server responses. This ensures that only untampered content is executed on the client side, protecting against risks such as supply chain compromise or JavaScript drift.

    Each rule targets a specific URL and must be referenced by a Subresource Integrity Policy to be enforced.

    Note: A Subresource Integrity Policy is also required to enable full enforcement capabilities in Client-Side Protection. When used together, SRI and Client-Side Protection provide comprehensive in-browser defense against content manipulation and unauthorized script execution.

    Syntax

    config waf subresource-integrity-rule

    edit <name>

    set url <string>

    set integrity-hash <string>

    set cross-origin {anonymous|use-credentials}

    next

    end

    Variable Description Default
    <name> A unique identifier for the rule. This name is used internally when associating the rule with a Subresource Integrity Policy. No default
    url <string>

    The absolute URL of the external resource to be protected. This should match the exact resource reference used in the HTML content (e.g., https://cdn.example.com/lib/app.js). FortiWeb uses this URL to locate matching <script>, <link>, or other resource tags in server responses and apply the appropriate integrity attributes.

    		 No default
    integrity-hash <string>

    The expected cryptographic hash of the resource, formatted as <algorithm>-<base64-encoded hash>, such as sha384-abcd123...==. The hash must match the actual content of the resource byte-for-byte. If the resource is modified or replaced, the browser will block it from execution. The total length of the integrity hash string must not exceed 1024 characters, including hash algorithms and separating spaces.

    		 No default

    cross-origin {anonymous|use-credentials}

    Determines how the browser handles credentialed requests when fetching the resource:

    • anonymous – Instructs the browser to fetch the resource without sending cookies, client certificates, or HTTP authentication headers. Recommended for public assets (e.g., third-party CDNs) to prevent credential leakage and reduce CSRF exposure.

    • use-credentials – Instructs the browser to include credentials in the request. Required when the resource is hosted behind authentication (e.g., user-specific content or private APIs).

    The default is Anonymous, which offers better isolation for shared resources.

    		 anonymous

    Example

    config waf subresource-integrity-rule
  edit "trusted-jquery"
    set url https://cdn.example.com/js/jquery-3.6.0.min.js
    set integrity-hash sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxEMn5Dj8WHz03a+0I4AfA+d+dXbYwK
    set cross-origin anonymous
  next
end
    Previous
    Next

    waf subresource-integrity-rule

    waf subresource-integrity-rule

    Use this command to configure a Subresource Integrity (SRI) Rule for use in a Subresource Integrity Policy.

    A Subresource Integrity (SRI) Rule defines a single external resource that should be validated by the browser before execution. The rule specifies the resource’s expected cryptographic hash and how cross-origin credentials should be handled during the load process. This is useful for JavaScript files, stylesheets, and other assets hosted on third-party CDNs or untrusted sources.

    FortiWeb uses this rule to inject integrity and cross-origin attributes into the corresponding <script>, <link>, or other resource tags in server responses. This ensures that only untampered content is executed on the client side, protecting against risks such as supply chain compromise or JavaScript drift.

    Each rule targets a specific URL and must be referenced by a Subresource Integrity Policy to be enforced.

    Note: A Subresource Integrity Policy is also required to enable full enforcement capabilities in Client-Side Protection. When used together, SRI and Client-Side Protection provide comprehensive in-browser defense against content manipulation and unauthorized script execution.

    Syntax

    config waf subresource-integrity-rule

    edit <name>

    set url <string>

    set integrity-hash <string>

    set cross-origin {anonymous|use-credentials}

    next

    end

    Variable Description Default
    <name> A unique identifier for the rule. This name is used internally when associating the rule with a Subresource Integrity Policy. No default
    url <string>

    The absolute URL of the external resource to be protected. This should match the exact resource reference used in the HTML content (e.g., https://cdn.example.com/lib/app.js). FortiWeb uses this URL to locate matching <script>, <link>, or other resource tags in server responses and apply the appropriate integrity attributes.

    		 No default
    integrity-hash <string>

    The expected cryptographic hash of the resource, formatted as <algorithm>-<base64-encoded hash>, such as sha384-abcd123...==. The hash must match the actual content of the resource byte-for-byte. If the resource is modified or replaced, the browser will block it from execution. The total length of the integrity hash string must not exceed 1024 characters, including hash algorithms and separating spaces.

    		 No default

    cross-origin {anonymous|use-credentials}

    Determines how the browser handles credentialed requests when fetching the resource:

    • anonymous – Instructs the browser to fetch the resource without sending cookies, client certificates, or HTTP authentication headers. Recommended for public assets (e.g., third-party CDNs) to prevent credential leakage and reduce CSRF exposure.

    • use-credentials – Instructs the browser to include credentials in the request. Required when the resource is hosted behind authentication (e.g., user-specific content or private APIs).

    The default is Anonymous, which offers better isolation for shared resources.

    		 anonymous

    Example

    config waf subresource-integrity-rule
  edit "trusted-jquery"
    set url https://cdn.example.com/js/jquery-3.6.0.min.js
    set integrity-hash sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxEMn5Dj8WHz03a+0I4AfA+d+dXbYwK
    set cross-origin anonymous
  next
end
    Previous
    Next