Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security waf http-header-security

HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

When the HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on user's website without code and configuration changes.

Syntax

config security waf http-header-security

edit <hhs-profile-name>

set request-status [ enable|disable ]

set request-url [ URL-string]

set mode [ add-always | add-replace | add-if-absent ]

configure http-header-security-list

edit <name>

set name [ content-security-policy | x-content-type-options | x-frame-options | x-xssprotection

| http-strict-transport-security ]

set value [ nosniff | deny | sameorigin | sanitizing-mode | block-mode ]

set policy <string>

set report-only [ enable | disable ]

set max-age <seconds>

set include-subdomain [ enable | disable ]

set preload [ enable | disable ]

next

end

end

config security waf profile

edit <waf-profile-name>

set http-header-profile <hhp-profile-name>

end

CLI Parameter

Description

request-status

Enable/ddisable request URL match.

enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified request URL.

disable: All responses will be processed with the selected security header(s).

request-url

Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

mode

Specify header operation mode for the response from the back-end server(s).

add-always: always add the specified header(s).

add-replace: add the specified header(s) if not exist, replace the value of header(s) which exist already.

add-if-absent: only add the specified header(s) if not exist, do nothing if the same header(s) exist

http-header-security-list

name

Set the HTTP security header name

value

The directive for the specified header in name.

X content type options: nosniff

X frame options: deny, sameorigin

X XSS protection: sanitizing-mode, block-mode

policy

Only valid if Content-Security-Policy is selected. Enter the header value(s) that setting restrictions on resource types and sources. For example, default-src 'self';script-src 'self';object-src 'self'.

report-only

Enabling report-only switches to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP. However, “report-only” header only monitors the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

max-age

The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. A max-age value of zero (i.e., “max-age=0”) signals the UA cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host).

include-subdomain

Optional. If enabled, rule will apply to all of the site's subdomains as well.

preload

Google maintains an HSTS preload service: https://hstspreload.org/. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.) However, it is not part of the HSTS specification and should not be treated as official.

 

Security Header

Description

content security policy

A content security policy (CSP), is an additional layer of security delivered via an HTTP header. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved thus allowing the browser to load them. Without a CSP, the browser simply loads all files on a page without considering the source which could be harmful. This puts both the site and it’s visitors at risk of malicious activity.

There are multiple directives available to website owners who want to implement a content security policy. A server may also define multiple directives within a CSP security header.

For a detailed list of examples and references, visit content-security-policy.com. Additionally, you can use a tool called cspisawesome.com to easily create a CSP specific to your needs.

FortiADC also provides a “report-only” flag to switch to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP, but the difference is that “report-only” header only monitor the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

X content type options

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This helps reduce the danger of drive-by downloads and helps treat the content the proper way.

There is only one directive that can be used, which is nosniff. An example of the header looks like:

x-content-type-options: nosniff

X frame options

The x-frame-options header provides clickjacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.

There are three directives available for this header: deny, sameorigin and allow-from. But “allow-from” is obsolete and no longer works in modern browers, FortiADC will notsupport it.

On FortiADC, there are two directive options: deny and sameorigin.

Once “deny” selected, the header looks like:

x-frame-options: DENY

Once “sameorigin” selected, the header looks like:

x-frame-options: SAMEORIGIN

X XSS protection

The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

On FortiADC, this function has two modes to be choose: sanitizing-mode and block-mode. Once sanitizing-mode selected (usually default in browsers), an example looks like:

x-xss-protection: 1

Once block-mode selected, an example looks like:

x-xss-protection: 1; mode=block

HTTP strict transport security

  • The HTTP strict-transport-security (HSTS) header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection, would helps to protect websites against protocol downgrade attacks and cookie hijacking.

    There are three directives for this header:

    max-age=<expire-time>
  • includeSubDomains
  • preload

    An example looks like:

    strict-transport-security: max-age=31536000; includeSubDomains; preload

config security waf http-header-security

HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

When the HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on user's website without code and configuration changes.

Syntax

config security waf http-header-security

edit <hhs-profile-name>

set request-status [ enable|disable ]

set request-url [ URL-string]

set mode [ add-always | add-replace | add-if-absent ]

configure http-header-security-list

edit <name>

set name [ content-security-policy | x-content-type-options | x-frame-options | x-xssprotection

| http-strict-transport-security ]

set value [ nosniff | deny | sameorigin | sanitizing-mode | block-mode ]

set policy <string>

set report-only [ enable | disable ]

set max-age <seconds>

set include-subdomain [ enable | disable ]

set preload [ enable | disable ]

next

end

end

config security waf profile

edit <waf-profile-name>

set http-header-profile <hhp-profile-name>

end

CLI Parameter

Description

request-status

Enable/ddisable request URL match.

enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified request URL.

disable: All responses will be processed with the selected security header(s).

request-url

Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

mode

Specify header operation mode for the response from the back-end server(s).

add-always: always add the specified header(s).

add-replace: add the specified header(s) if not exist, replace the value of header(s) which exist already.

add-if-absent: only add the specified header(s) if not exist, do nothing if the same header(s) exist

http-header-security-list

name

Set the HTTP security header name

value

The directive for the specified header in name.

X content type options: nosniff

X frame options: deny, sameorigin

X XSS protection: sanitizing-mode, block-mode

policy

Only valid if Content-Security-Policy is selected. Enter the header value(s) that setting restrictions on resource types and sources. For example, default-src 'self';script-src 'self';object-src 'self'.

report-only

Enabling report-only switches to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP. However, “report-only” header only monitors the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

max-age

The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS. A max-age value of zero (i.e., “max-age=0”) signals the UA cease regarding the host as a Known HSTS Host, including the includeSubDomains directive (if asserted for that HSTS Host).

include-subdomain

Optional. If enabled, rule will apply to all of the site's subdomains as well.

preload

Google maintains an HSTS preload service: https://hstspreload.org/. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection. While the service is hosted by Google, all browsers have stated an intent to use (or actually started using) the preload list. Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.) However, it is not part of the HSTS specification and should not be treated as official.

 

Security Header

Description

content security policy

A content security policy (CSP), is an additional layer of security delivered via an HTTP header. This policy helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks by defining content sources which are approved thus allowing the browser to load them. Without a CSP, the browser simply loads all files on a page without considering the source which could be harmful. This puts both the site and it’s visitors at risk of malicious activity.

There are multiple directives available to website owners who want to implement a content security policy. A server may also define multiple directives within a CSP security header.

For a detailed list of examples and references, visit content-security-policy.com. Additionally, you can use a tool called cspisawesome.com to easily create a CSP specific to your needs.

FortiADC also provides a “report-only” flag to switch to “Content-Security-Policy-Report-Only” header, which accepts all directives of CSP, but the difference is that “report-only” header only monitor the violations. FortiADC will check the existing of “report-uri” directive once “report-only” selected.

X content type options

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This helps reduce the danger of drive-by downloads and helps treat the content the proper way.

There is only one directive that can be used, which is nosniff. An example of the header looks like:

x-content-type-options: nosniff

X frame options

The x-frame-options header provides clickjacking protection by not allowing iframes to load on your website. It is supported by IE 8+, Chrome 4.1+, Firefox 3.6.9+, Opera 10.5+, Safari 4+.

There are three directives available for this header: deny, sameorigin and allow-from. But “allow-from” is obsolete and no longer works in modern browers, FortiADC will notsupport it.

On FortiADC, there are two directive options: deny and sameorigin.

Once “deny” selected, the header looks like:

x-frame-options: DENY

Once “sameorigin” selected, the header looks like:

x-frame-options: SAMEORIGIN

X XSS protection

The x-xss-protection header is designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.

On FortiADC, this function has two modes to be choose: sanitizing-mode and block-mode. Once sanitizing-mode selected (usually default in browsers), an example looks like:

x-xss-protection: 1

Once block-mode selected, an example looks like:

x-xss-protection: 1; mode=block

HTTP strict transport security

  • The HTTP strict-transport-security (HSTS) header is a security enhancement that restricts web browsers to access web servers solely over HTTPS. This ensures the connection cannot be establish through an insecure HTTP connection, would helps to protect websites against protocol downgrade attacks and cookie hijacking.

    There are three directives for this header:

    max-age=<expire-time>
  • includeSubDomains
  • preload

    An example looks like:

    strict-transport-security: max-age=31536000; includeSubDomains; preload