Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    Request Limits

    Request Limits

    Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.

    Specifying allowed HTTP methods

    You can configure FortiAppSec Cloud to allow only specific HTTP request methods.

    Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.

    Configuring HTTP protocol constraints

    Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

    Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

    To configure an HTTP protocol constraint profile

    1. Go to ACCESS RULES > Request Limits.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Configure these settings.
      HTTP Header
      Header Length

      Specifies the maximum acceptable size in bytes of all HTTP header lines.

      Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

      Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).
      Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.
      Number of Cookies in Request

      Specifies the maximum acceptable number of cookies in an HTTP request.

      Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

      Number of Ranges in Range Header

      Specifies the maximum acceptable number of range: lines in each HTTP header.

      Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

      Illegal Character in Header Name

      Enable to check whether the HTTP header name contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      Illegal Character in Header Value

      Enable to check whether the HTTP header value contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      Redundant HTTP HeadersEnable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type (for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.
      HTTP Parameter
      Total URL Parameter Length

      Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter1=value1&parameter2=value2.

      The count does not include:

      • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
      • Parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

      Total Body Parameters Length

      Specifies the total maximum acceptable size in bytes of all the parameters in the HTTP body of HTTP POST requests.

      Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

      Attack log messages contain Total Body Parameters Length Exceeded when this feature detects a total parameter size buffer overflow attempt.

      Number of URL Parameters

      Specifies the maximum number of parameters in the URL.

      It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

      NULL Character in Parameter Name

      Enable to check for null characters in parameter names.

      NULL Character in Parameter Value

      Enable to check for null characters in parameter values.

      Maximum URL Parameter Name Length

      Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

      Maximum URL Parameter Value Length

      Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

      Duplicate Parameter Name

      Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

      • There are duplicate parameter names in the header.
      • There are duplicate parameter names in the body.
      • A parameter name in the header is also in the body.

      Illegal Character in Parameter Name

      Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Illegal Character in Parameter Value

      Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      HTTP Request

      Illegal HTTP Request Method

      Enable to check for invalid HTTP request methods according to RFC 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) or RFC 4918 (http://www.webdav.org/specs/rfc4918.html). Any method not defined in these RFCs—including misspellings like GETT as well as other HTTP extension methods (e.g. CalDAV) like MKCALENDAR—are considered invalid.

      Attack log messages contain Illegal HTTP Method when this feature detects an invalid HTTP request method.

      HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.

      HTTP Request Length

      Specifies the maximum acceptable length in bytes of the entire HTTP request, including both headers and body.

      Attack log messages contain HTTP Request Length Exceeded when this feature detects an excessively large HTTP request.

      Number of Header Lines in Request

      Specifies the maximum acceptable number of lines in the HTTP header.

      Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

      Missing Content Type

      Enable to check whether the Content-Type: header is available.

      Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might embed NULL characters in URL to evade detections.
      Illegal Character in URL

      Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

      Odd and Even Space Attack

      Enable to allow FortiWeb to detect Odd and Even Space Attacks.

      Malformed URL

      Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

      HTTP/2 Max Requests

      Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

      The default number is 1000, and the valid range is 0-65535.

      HTTP/2

      Header Compression Table Size

      Specifies the maximum acceptable size in bytes of the header compression table used to decode header blocks. Enable to check whether value of parameter SETTINGS_HEADER_TABLE_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      This field applies to HTTP/2 only.

      Number of Concurrent Streams

      Specifies the maximum acceptable number of concurrent streams that the sender will allow the receiver to create. Enable to check whether value of parameter SETTINGS_MAX_CONCURRENT_STREAMS in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      Initial Window Size

      Specifies the maximum acceptable sender's initial window size in bytes for stream-level flow control. Enable to check whether value of parameter SETTINGS_INITIAL_WINDOW_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      Frame Size

      Specifies the maximum acceptable size in bytes of the frame payload that the sender is willing to receive. Enable to check whether value of parameter SETTINGS_MAX_FRAME_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      Header List Size

      Specifies the maximum acceptable size in bytes of the header list that the sender is prepared to accept. Enable to check whether value of parameter SETTINGS_MAX_HEADER_LIST_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      HTTP/2 RST Stream

      Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      Number of HTTP/2 RST Stream

      When HTTP/2 RST Stream is enabled, enter the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      HTTP/2 RST Stream Frequency

      Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

      The default number is 5, and the valid range is 1-65535.

      Number of HTTP/2 RST Stream Frequency

      When HTTP/2 RST Stream Frequency is enabled, enter the maximum occurrences of the HTTP/2 RST Stream per second.

      Content Length

      Content Length

      Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

      Attack log messages contain Content Length Exceeded when this feature detects a content length buffer overflow attempt.

      Illegal Content Length

      Enable to omit the constraint on whether the Content-Length: header includes numeric characters only.

      Present with Transfer Encoding

      Enable to check if content-length and transfer-encoding coexist.

      Inconsistent with Body Length

      Enable to check whether the response has redundant body than the content-length specified.

      Others

      Illegal Content Type

      Enable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>.

      Illegal Response Code

      Enable to check whether the HTTP response code is a 3-digit number.

      Illegal Host Name

      Enable to check for illegal characters in the Host: line of the HTTP header, such as null characters or encoded characters.

      For example, 0x0 or %00* are illegal.

      Attack log messages contain Illegal Host Name when this feature detects an invalid host name.

      Illegal HTTP Version

      Enable to check for invalid HTTP version numbers. Currently, the only valid version strings are HTTP/0.9, HTTP/1.0 or HTTP/1.1.

      Attack log messages contain Illegal HTTP Version when this feature detects an invalid HTTP version number.

      Body Length

      Specifies the maximum acceptable size in bytes of the HTTP body.

      For requests that use the HTTP POST method, this typically includes parameters submitted by HTML form inputs. In the case of file uploads, this can normally be many megabytes. For most simple forms, however, the body should be only a few kilobytes in size at maximum.

      Attack log messages contain Body Length Exceeded when this feature detects a body size buffer overflow attempt.

      Malformed Request

      Enable to inspect the request for:

      • Syntax errors

      • Exceeding the maximum buffer size allowed by FortiWeb’s HTTP parser

      Errors and buffer overflows can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities.

      Attack log messages contain Too Many Parameters or Too Many Flash Parameters or another message that indicates the specific cause when this feature detects a request with parser errors or a FortiWeb buffer overflow attempt.

      Caution: Fortinet strongly recommends to enable this option unless large requests/parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. It also cannot perform rewrites. Unless you configure it to block, FortiWeb allows oversized requests to pass through without scanning or rewriting. This could allow padded attacks to pass through, and rewriting to be skipped.

      If feasible, instead of disabling this option:

      Enlarge the scan buffer for each parameter. For details, see HTTP-cachesize in the FortiWeb CLI Reference (https://docs.fortinet.com/product/fortiweb/). Requests larger than the buffer will be flagged as potentially malformed by FortiWeb’s parser, causing FortiWeb to block normal requests (i.e., false positives). For more buffer specifications, see Buffer hardening.

      Disable this setting only for URLs that require oversized parameters. For details, see Configuring HTTP protocol constraint exceptions.

      RPC Protocol

      Enable to detect traffic that uses the PRC protocol.

      WebSocket Protocol

      Enable to detect traffic that uses the WebSocket TCP-based protocol.

      Because FortiWeb acts as a pure socket proxy for WebSocket traffic, it cannot apply security features to it.

      Illegal Chunk Size

      Enable to check whether the value of Chunk Size field is a hexadecimal value. A violation will be detected if the value is presented in other numeral systems.

      Range Overlapping

      Enable to detect RangeAmp Overlapping Byte Ranges (OBR) attacks. For more information on this attack, refer to https://www.linuxadictos.com/en/rangeamp-a-series-of-cdn-attacks-that-manipulate-the-range-http-header.html

      Multipart/ form-data Bad Request

      Enable to detect whether the multipart request chunk contains the strings "Content-Disposition" and "Name". If it does not, the system will consider it a violation.

    3. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.

      Alert

      Accept the request and generate a log message.

      Alert & Deny

      Block the request (or reset the connection) and generate a log message.

      Deny(no log)

      Block the request (or reset the connection).

      Period Block

      Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.

    4. Click SAVE.
    Previous
    Next

    Request Limits

    Request Limits

    Request limits enforces limitations at the HTTP protocol level to make sure all client requests adhere to the HTTP RFC standard and security best practice. With this feature, you can prevent exploits such as malicious encoding and buffer overflows that can lead to Denial of Service (DoS) and server takeover.

    Specifying allowed HTTP methods

    You can configure FortiAppSec Cloud to allow only specific HTTP request methods.

    Mark the check boxes for all HTTP request methods that you want to allow. Methods that you do not select will be denied.

    Configuring HTTP protocol constraints

    Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

    Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

    To configure an HTTP protocol constraint profile

    1. Go to ACCESS RULES > Request Limits.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Configure these settings.
      HTTP Header
      Header Length

      Specifies the maximum acceptable size in bytes of all HTTP header lines.

      Attack log messages contain Total Size of All Headers Too Large when this feature detects a header size buffer overflow attempt.

      Header Name LengthSpecifies the maximum acceptable size in bytes of a single HTTP header name (for example, Host:, Content-Type:, User-Agent:).
      Header Value LengthSpecifies the maximum acceptable size in bytes of a single HTTP header value.
      Number of Cookies in Request

      Specifies the maximum acceptable number of cookies in an HTTP request.

      Attack log messages contain Too Many Cookies in Request when this feature detects a cookie count buffer overflow attempt.

      Number of Ranges in Range Header

      Specifies the maximum acceptable number of range: lines in each HTTP header.

      Attack log messages contain Too Many Range Headers when this feature detects too many Range: header lines.

      Illegal Character in Header Name

      Enable to check whether the HTTP header name contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      Illegal Character in Header Value

      Enable to check whether the HTTP header value contains illegal characters. Illegal characters in HTTP headers include spaces, non-printable ASCII characters, or other special characters

      Redundant HTTP HeadersEnable to check whether a HTTP request contains multiple instances of Content-Length (only for HTTP/1.x), Content-Type (for both HTTP/1.x and HTTP/2) and Host (for both HTTP/1.x and HTTP/2) header fields. These header fields are required to appear only once in a request by the RFC. Redundant HTTP headers are most probably involved in possible attacks.
      HTTP Parameter
      Total URL Parameter Length

      Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a ?, such as: /url?parameter1=value1&parameter2=value2.

      The count does not include:

      • Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.
      • Parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Total URL Parameters Length Exceeded when this feature detects a URL parameter line length buffer overflow attempt.

      Total Body Parameters Length

      Specifies the total maximum acceptable size in bytes of all the parameters in the HTTP body of HTTP POST requests.

      Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included.

      Attack log messages contain Total Body Parameters Length Exceeded when this feature detects a total parameter size buffer overflow attempt.

      Number of URL Parameters

      Specifies the maximum number of parameters in the URL.

      It does not include parameters in the HTTP body, which can occur with HTTP POST requests.

      Attack log messages contain Too Many Parameters in Request when this feature detects a URL parameter count buffer overflow attempt.

      NULL Character in Parameter Name

      Enable to check for null characters in parameter names.

      NULL Character in Parameter Value

      Enable to check for null characters in parameter values.

      Maximum URL Parameter Name Length

      Specifies the maximum acceptable length in bytes of each URL parameter name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, user in the request GET /index.php?user=test&sid=1234 is an illegal parameter name if you set the limitation as 3.

      Maximum URL Parameter Value Length

      Specifies the maximum acceptable length in bytes of each URL parameter value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, 1234 in the request GET /index.php?user=test&sid=1234 is an illegal parameter value if you set the limitation as 3.

      Duplicate Parameter Name

      Enable to check whether a duplicate parameter name is in the header or body parameters. This protocol constraint will be triggered if:

      • There are duplicate parameter names in the header.
      • There are duplicate parameter names in the body.
      • A parameter name in the header is also in the body.

      Illegal Character in Parameter Name

      Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      Illegal Character in Parameter Value

      Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.

      HTTP Request

      Illegal HTTP Request Method

      Enable to check for invalid HTTP request methods according to RFC 2616 (http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html) or RFC 4918 (http://www.webdav.org/specs/rfc4918.html). Any method not defined in these RFCs—including misspellings like GETT as well as other HTTP extension methods (e.g. CalDAV) like MKCALENDAR—are considered invalid.

      Attack log messages contain Illegal HTTP Method when this feature detects an invalid HTTP request method.

      HTTP Request Filename LengthSpecifies the maximum acceptable length in bytes of the HTTP request filename.

      HTTP Request Length

      Specifies the maximum acceptable length in bytes of the entire HTTP request, including both headers and body.

      Attack log messages contain HTTP Request Length Exceeded when this feature detects an excessively large HTTP request.

      Number of Header Lines in Request

      Specifies the maximum acceptable number of lines in the HTTP header.

      Attack log messages contain Too Many Headers when this feature detects a header line count buffer overflow attempt.

      Missing Content Type

      Enable to check whether the Content-Type: header is available.

      Null Character in URLEnable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as \0 or %00). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1. Attackers might embed NULL characters in URL to evade detections.
      Illegal Character in URL

      Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the /index.php in GET http://www.server.com/index.php?name=value HTTP 1.1.

      Odd and Even Space Attack

      Enable to allow FortiWeb to detect Odd and Even Space Attacks.

      Malformed URL

      Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.

      HTTP/2 Max Requests

      Enable to specify the maximum acceptable number of requests in an HTTP/2 connection.

      The default number is 1000, and the valid range is 0-65535.

      HTTP/2

      Header Compression Table Size

      Specifies the maximum acceptable size in bytes of the header compression table used to decode header blocks. Enable to check whether value of parameter SETTINGS_HEADER_TABLE_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      This field applies to HTTP/2 only.

      Number of Concurrent Streams

      Specifies the maximum acceptable number of concurrent streams that the sender will allow the receiver to create. Enable to check whether value of parameter SETTINGS_MAX_CONCURRENT_STREAMS in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      Initial Window Size

      Specifies the maximum acceptable sender's initial window size in bytes for stream-level flow control. Enable to check whether value of parameter SETTINGS_INITIAL_WINDOW_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      Frame Size

      Specifies the maximum acceptable size in bytes of the frame payload that the sender is willing to receive. Enable to check whether value of parameter SETTINGS_MAX_FRAME_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      Header List Size

      Specifies the maximum acceptable size in bytes of the header list that the sender is prepared to accept. Enable to check whether value of parameter SETTINGS_MAX_HEADER_LIST_SIZE in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly.

      HTTP/2 RST Stream

      Enable to specify the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      Number of HTTP/2 RST Stream

      When HTTP/2 RST Stream is enabled, enter the maximum acceptable number of HTTP/2 RST Streams in an HTTP/2 connection.

      HTTP/2 RST Stream Frequency

      Enable to specify the maximum occurrences of the HTTP/2 RST Stream per second.

      The default number is 5, and the valid range is 1-65535.

      Number of HTTP/2 RST Stream Frequency

      When HTTP/2 RST Stream Frequency is enabled, enter the maximum occurrences of the HTTP/2 RST Stream per second.

      Content Length

      Content Length

      Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the Content-Length: field in the HTTP header.

      Attack log messages contain Content Length Exceeded when this feature detects a content length buffer overflow attempt.

      Illegal Content Length

      Enable to omit the constraint on whether the Content-Length: header includes numeric characters only.

      Present with Transfer Encoding

      Enable to check if content-length and transfer-encoding coexist.

      Inconsistent with Body Length

      Enable to check whether the response has redundant body than the content-length specified.

      Others

      Illegal Content Type

      Enable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>.

      Illegal Response Code

      Enable to check whether the HTTP response code is a 3-digit number.

      Illegal Host Name

      Enable to check for illegal characters in the Host: line of the HTTP header, such as null characters or encoded characters.

      For example, 0x0 or %00* are illegal.

      Attack log messages contain Illegal Host Name when this feature detects an invalid host name.

      Illegal HTTP Version

      Enable to check for invalid HTTP version numbers. Currently, the only valid version strings are HTTP/0.9, HTTP/1.0 or HTTP/1.1.

      Attack log messages contain Illegal HTTP Version when this feature detects an invalid HTTP version number.

      Body Length

      Specifies the maximum acceptable size in bytes of the HTTP body.

      For requests that use the HTTP POST method, this typically includes parameters submitted by HTML form inputs. In the case of file uploads, this can normally be many megabytes. For most simple forms, however, the body should be only a few kilobytes in size at maximum.

      Attack log messages contain Body Length Exceeded when this feature detects a body size buffer overflow attempt.

      Malformed Request

      Enable to inspect the request for:

      • Syntax errors

      • Exceeding the maximum buffer size allowed by FortiWeb’s HTTP parser

      Errors and buffer overflows can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities.

      Attack log messages contain Too Many Parameters or Too Many Flash Parameters or another message that indicates the specific cause when this feature detects a request with parser errors or a FortiWeb buffer overflow attempt.

      Caution: Fortinet strongly recommends to enable this option unless large requests/parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. It also cannot perform rewrites. Unless you configure it to block, FortiWeb allows oversized requests to pass through without scanning or rewriting. This could allow padded attacks to pass through, and rewriting to be skipped.

      If feasible, instead of disabling this option:

      Enlarge the scan buffer for each parameter. For details, see HTTP-cachesize in the FortiWeb CLI Reference (https://docs.fortinet.com/product/fortiweb/). Requests larger than the buffer will be flagged as potentially malformed by FortiWeb’s parser, causing FortiWeb to block normal requests (i.e., false positives). For more buffer specifications, see Buffer hardening.

      Disable this setting only for URLs that require oversized parameters. For details, see Configuring HTTP protocol constraint exceptions.

      RPC Protocol

      Enable to detect traffic that uses the PRC protocol.

      WebSocket Protocol

      Enable to detect traffic that uses the WebSocket TCP-based protocol.

      Because FortiWeb acts as a pure socket proxy for WebSocket traffic, it cannot apply security features to it.

      Illegal Chunk Size

      Enable to check whether the value of Chunk Size field is a hexadecimal value. A violation will be detected if the value is presented in other numeral systems.

      Range Overlapping

      Enable to detect RangeAmp Overlapping Byte Ranges (OBR) attacks. For more information on this attack, refer to https://www.linuxadictos.com/en/rangeamp-a-series-of-cdn-attacks-that-manipulate-the-range-http-header.html

      Multipart/ form-data Bad Request

      Enable to detect whether the multipart request chunk contains the strings "Content-Disposition" and "Name". If it does not, the system will consider it a violation.

    3. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.

      Alert

      Accept the request and generate a log message.

      Alert & Deny

      Block the request (or reset the connection) and generate a log message.

      Deny(no log)

      Block the request (or reset the connection).

      Period Block

      Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked.

    4. Click SAVE.
    Previous
    Next