Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiWeb 8.0.3 CLI Reference
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0

    waf http-header-security

    waf http-header-security

    Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    For more information on HTTP Header Security, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/document/fortiweb

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config waf http-header-security

    edit "<HTTP-header-security_name>"

    config HTTP-header-security-list

    set name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only}

    set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    set waf http-header-security

    set allow-from-source "<allow-from_str>"

    set request-type {plain | regular}

    set request-file "<request-file_str>"

    set request-status {enable | disable}

    next

    end

    next

    end

    Variable Description Default

    "<HTTP-header-security_name>"

    		 Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

    request-status {enable | disable}

    		 Enable to set a URL Filter. disable

    request-type {plain | regular}

    Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    request-file "<request-file_str>"

    Sets the Request URL for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    <entry-index_int>

    		 Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

    name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only}

    Specifies the HTTP security header type to configure in this Secure Header Rule. The following types are supported:

    • x-frame-options – Prevents Clickjacking by restricting how your site can be embedded in frames. Supports values: DENY, SAMEORIGIN, and ALLOW-FROM.

    • x-content-type-options – Prevents MIME sniffing attacks by disabling the browser's content-type guessing. Use nosniff.

    • x-xss-protection – Enables the browser’s built-in XSS filtering. Supports sanitizing or blocking modes.

    • content-security-policy – Adds a Content-Security-Policy header to control the sources of content that can be loaded, helping prevent XSS and injection attacks.

    • feature-policy – Allows or denies the use of browser features (e.g., camera, fullscreen, geolocation) in the page and embedded iframes.

    • permissions-policyReplaces feature-policy and provides the same control over browser feature access. Recommended for new configurations.

    • referrer-policy – Controls how much referrer information is included in outbound requests. Supports values like no-referrer, origin, same-origin, and others.

    • cross-origin-resource-policy (CORP) – Restricts which origins can load resources, enforcing same-origin or same-site rules.

    • cross-origin-embedder-policy (COEP) – Requires embedded cross-origin resources to send valid CORS or CORP headers. Needed for features like SharedArrayBuffer.

    • cross-origin-opener-policy (COOP) – Isolates browsing context from popups or tabs to prevent cross-origin access and side-channel attacks.

    • clear-site-data – Instructs the browser to clear cookies, local storage, cache, or all data types. Supports values like "cookies", "storage", "cache", "*".

    • timing-allow-origin – Specifies which origins can access high-resolution performance timing data. Use a specific trusted origin.

    • content-security-policy-report-only – Adds a Content-Security-Policy header in report-only mode. Use this for testing policy enforcement without blocking violations.

    		 No default.

    value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    Defines the response according to the defined Secure Header Type.

    The x-frame-options header can be implemented with one of the following options:

    • deny—The browser will not allow any frame to be displayed.
    • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

    The x-content-type-options header can be implemented with one option:

    • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

    The x-xss-protection header can be implemented with one of the following options:

    • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
    • block-mode—The browser will block the page when a XSS attack is detected.
    		 No default.

    allow-from-source "<allow-from_str>"

    		 Sets the specified domain if the name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only} is x-frame-options and the Header Value is set to allow-from. No default.

    Example

    This example creates a HTTP header security policy.

    config waf HTTP-header-security

    edit HTTP_header_security1

    set request-status enable

    set request-type plain

    set request-file "/bWAPP/clickjacking.php"

    config HTTP-header-security-list

    edit 1

    set name x-content-type-options

    set value nosniff

    next

    edit 2

    set name x-frame-options

    set value deny

    next

    edit 3

    set name x-xss-protection

    set value block-mode

    next

    next

    end

    Previous
    Next

    waf http-header-security

    waf http-header-security

    Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

    For more information on HTTP Header Security, see the FortiWeb Administration Guide:

    https://docs.fortinet.com/document/fortiweb

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config waf http-header-security

    edit "<HTTP-header-security_name>"

    config HTTP-header-security-list

    set name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only}

    set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    set waf http-header-security

    set allow-from-source "<allow-from_str>"

    set request-type {plain | regular}

    set request-file "<request-file_str>"

    set request-status {enable | disable}

    next

    end

    next

    end

    Variable Description Default

    "<HTTP-header-security_name>"

    		 Enter of name of an HTTP header security policy. The maximum length is 63 characters. No default.

    request-status {enable | disable}

    		 Enable to set a URL Filter. disable

    request-type {plain | regular}

    Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    request-file "<request-file_str>"

    Sets the Request URL for the URL Filter.

    Available only if request-status {enable | disable} is set to enable.

    		 No default.

    <entry-index_int>

    		 Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy. No default.

    name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only}

    Specifies the HTTP security header type to configure in this Secure Header Rule. The following types are supported:

    • x-frame-options – Prevents Clickjacking by restricting how your site can be embedded in frames. Supports values: DENY, SAMEORIGIN, and ALLOW-FROM.

    • x-content-type-options – Prevents MIME sniffing attacks by disabling the browser's content-type guessing. Use nosniff.

    • x-xss-protection – Enables the browser’s built-in XSS filtering. Supports sanitizing or blocking modes.

    • content-security-policy – Adds a Content-Security-Policy header to control the sources of content that can be loaded, helping prevent XSS and injection attacks.

    • feature-policy – Allows or denies the use of browser features (e.g., camera, fullscreen, geolocation) in the page and embedded iframes.

    • permissions-policyReplaces feature-policy and provides the same control over browser feature access. Recommended for new configurations.

    • referrer-policy – Controls how much referrer information is included in outbound requests. Supports values like no-referrer, origin, same-origin, and others.

    • cross-origin-resource-policy (CORP) – Restricts which origins can load resources, enforcing same-origin or same-site rules.

    • cross-origin-embedder-policy (COEP) – Requires embedded cross-origin resources to send valid CORS or CORP headers. Needed for features like SharedArrayBuffer.

    • cross-origin-opener-policy (COOP) – Isolates browsing context from popups or tabs to prevent cross-origin access and side-channel attacks.

    • clear-site-data – Instructs the browser to clear cookies, local storage, cache, or all data types. Supports values like "cookies", "storage", "cache", "*".

    • timing-allow-origin – Specifies which origins can access high-resolution performance timing data. Use a specific trusted origin.

    • content-security-policy-report-only – Adds a Content-Security-Policy header in report-only mode. Use this for testing policy enforcement without blocking violations.

    		 No default.

    value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

    Defines the response according to the defined Secure Header Type.

    The x-frame-options header can be implemented with one of the following options:

    • deny—The browser will not allow any frame to be displayed.
    • sameorigin—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
    • allow-from—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.

    The x-content-type-options header can be implemented with one option:

    • nosniff—The browser will not guess any content type that is not explicitly specified when downloading extensions.

    The x-xss-protection header can be implemented with one of the following options:

    • sanitizing-mode—The browser will sanitize the malicious scripts when a XSS attack is detected.
    • block-mode—The browser will block the page when a XSS attack is detected.
    		 No default.

    allow-from-source "<allow-from_str>"

    		 Sets the specified domain if the name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only} is x-frame-options and the Header Value is set to allow-from. No default.

    Example

    This example creates a HTTP header security policy.

    config waf HTTP-header-security

    edit HTTP_header_security1

    set request-status enable

    set request-type plain

    set request-file "/bWAPP/clickjacking.php"

    config HTTP-header-security-list

    edit 1

    set name x-content-type-options

    set value nosniff

    next

    edit 2

    set name x-frame-options

    set value deny

    next

    edit 3

    set name x-xss-protection

    set value block-mode

    next

    next

    end

    Previous
    Next