Fortinet black logo

User Guide

Request Limits

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:219840
Download PDF

Request Limits

Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.

Specifying allowed HTTP methods

You can configure FortiWeb Cloud to allow only specific HTTP request methods.

Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.

Configuring HTTP protocol constraints

Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

To configure an HTTP protocol constraint profile

  1. Go to ACCESS RULES > Request Limits.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.
    HTTP Header
    Header Length

    Specifies the maximum acceptable size in bytes of all HTTP header lines.

    Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

    Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).
    Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.
    Number of Cookies in Request

    Specifies the maximum acceptable number of cookies in an HTTP request.

    Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

    Number of Ranges in Range Header

    Specifies the maximum acceptable number of range: lines in each HTTP header.

    Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

    Redundant HTTP HeadersEnable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type (for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.
    HTTP Parameter
    Total URL Parameter Length

    Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter1=value1&parameter2=value2.

    The count does not include:

    • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
    • Parameters in the HTTP body, which can occur with HTTP POST requests.

    Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

    Number of URL Parameter

    Specifies the maximum number of parameters in the URL.

    It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

    Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

    Maximum URL Parameter Name Length

    Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

    Maximum URL Parameter Value Length

    Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

    Duplicate Parameter Name

    Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

    • There are duplicate parameter names in the header.
    • There are duplicate parameter names in the body.
    • A parameter name in the header is also in the body.
    HTTP Request
    HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.
    Number of Header Lines in Request

    Specifies the maximum acceptable number of lines in the HTTP header.

    Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

    Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might embed NULL characters in URL to evade detections.
    Illegal Character in URL

    Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

    Malformed URL

    Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

    HTTP/2 Max Requests

    Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

    HTTP/2 RST Stream

    Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

    HTTP/2 RST Stream Frequency

    Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  4. Click SAVE.

Request Limits

Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.

Specifying allowed HTTP methods

You can configure FortiWeb Cloud to allow only specific HTTP request methods.

Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.

Configuring HTTP protocol constraints

Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

To configure an HTTP protocol constraint profile

  1. Go to ACCESS RULES > Request Limits.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.
    HTTP Header
    Header Length

    Specifies the maximum acceptable size in bytes of all HTTP header lines.

    Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

    Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).
    Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.
    Number of Cookies in Request

    Specifies the maximum acceptable number of cookies in an HTTP request.

    Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

    Number of Ranges in Range Header

    Specifies the maximum acceptable number of range: lines in each HTTP header.

    Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

    Redundant HTTP HeadersEnable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type (for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.
    HTTP Parameter
    Total URL Parameter Length

    Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter1=value1&parameter2=value2.

    The count does not include:

    • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
    • Parameters in the HTTP body, which can occur with HTTP POST requests.

    Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

    Number of URL Parameter

    Specifies the maximum number of parameters in the URL.

    It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

    Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

    Maximum URL Parameter Name Length

    Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

    Maximum URL Parameter Value Length

    Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

    Duplicate Parameter Name

    Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

    • There are duplicate parameter names in the header.
    • There are duplicate parameter names in the body.
    • A parameter name in the header is also in the body.
    HTTP Request
    HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.
    Number of Header Lines in Request

    Specifies the maximum acceptable number of lines in the HTTP header.

    Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

    Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might embed NULL characters in URL to evade detections.
    Illegal Character in URL

    Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

    Malformed URL

    Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

    HTTP/2 Max Requests

    Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

    HTTP/2 RST Stream

    Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

    HTTP/2 RST Stream Frequency

    Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  4. Click SAVE.