Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    User Guide

    Home FortiAppSec Cloud User Guide

    Information Leakage

    Information Leakage

    FortiAppSec Cloud can detect server error messages and other sensitive messages in the HTTP headers.

    How Known Attacks settings affect Information Leakage

    The Sensitivity Level configured under Signature Based Detection on the Security Rules > Known Attacks page directly influences how effectively FortiAppSec Cloud mitigates Information Leakage. This is because Sensitivity Level determines how many matching rules are applied to detect response headers and page content.

    Higher sensitivity levels include more signatures that add additional protection but can also introduce false positives that may block legitimate traffic.

    Configuring Sensitivity Level too low can leave critical Information Leakage vulnerabilities unblocked. For more information, see Known Attacks.

    Configure Information Leakage protection

    1. Go to Security Rules > Information Leakage.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Configure these settings.

      Server Information Disclosure

      Enable to detect and erase server specific sensitive information in headers and response page, with no alerts generated.

      Server-specific sensitive information includes information that could reveal known or potential vulnerabilities, such as software name/ version, backend technology frameworks and library versions, error messages, internal IP addresses, and authentication details

      Personally Identifiable Information

      Enable to detect and prevent the exposure of sensitive personal data, such as names, email addresses, and credit card numbers, in HTTP responses. It helps reduce the risk of data leaks by identifying PII patterns and allowing administrators to log, alert, or block such disclosures based on security policies.

      Cloak Error Pages

      Enable to replace HTTP 403 (Forbidden), 404 (Not Found), and 5XX (Server Errors) responses with a generic 500 (Internal Server Error) response.

      This enhances security by preventing attackers from gathering information about your server through specific error responses that distinguish between missing pages, permission issues, or server failures, making it harder to map vulnerabilities.
      You can add multiple HTTP headers in which the sensitive information will be hidden.

      Erase HTTP Headers

      Enable to remove server response HTTP headers.

      You can specify multiple HTTP headers in which the sensitive information will be hidden.

    3. Click +Create Exception Rule (optional).
      You can also configure FortiAppSec Cloud to omit attack signature scans by creating exception rules.
    4. Configure these settings.
      Request Host

      Specify the host value (domain name) to match. For example, www.test.com or api.test.com.

      • If String Match is selected, is selected, enter the host name directly. Wildcards are supported (e.g., *.test.com).
      • If Regular Expression Match is selected, you can define a regex pattern to match one or more hostnames. For details, see Frequently used regular expressions.

      Request URL

      Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

      • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
      • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

      Do not include a domain name because it's by default the domain name of this application.

      Parameter Name

      Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

      Cookie Name

      Specify a cookie name to match. Both String Match and Regular Expression Match are supported.

      JSON Elements

      Specify the name of the JSON element to match. Both String Match and Regular Expression Match are supported.

      Attack Category

      You can select an attack category between:

      • Server Information Disclosure
      • Personally Identifiable Information

      Signature ID

      The ID for the signature applied to the attack.

      Signature Information

      Signature description and examples are listed here. You can select any signature ID for the attack and view the signature details.

      note icon

      You must enable at least one of the following: Request URL or Parameter Name. The request matching the specified URL and/or parameter in exception rule would not be treated as an attack even if it matches a particular signature.

    5. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.

      Alert

      Accept the request and generate a log message. To avoid log flooding, the minimum interval between logs is 1 second.

      Erase & Alert

      Hide or remove sensitive information in replies from the web server (sometimes called “cloaking”) and generate a log message. To avoid log flooding, the minimum interval between logs is 1 second.

      Deny & Erase (no log)

      For violations of the Server Information Disclosure, Cloak Error Pages, and the Erase HTTP Headers categories, hide or remove sensitive information in replies from the web server but do not generate log messages.

    6. Click SAVE.

      You can continue creating multiple exception rules for specific attacks.

    Previous
    Next

    Information Leakage

    Information Leakage

    FortiAppSec Cloud can detect server error messages and other sensitive messages in the HTTP headers.

    How Known Attacks settings affect Information Leakage

    The Sensitivity Level configured under Signature Based Detection on the Security Rules > Known Attacks page directly influences how effectively FortiAppSec Cloud mitigates Information Leakage. This is because Sensitivity Level determines how many matching rules are applied to detect response headers and page content.

    Higher sensitivity levels include more signatures that add additional protection but can also introduce false positives that may block legitimate traffic.

    Configuring Sensitivity Level too low can leave critical Information Leakage vulnerabilities unblocked. For more information, see Known Attacks.

    Configure Information Leakage protection

    1. Go to Security Rules > Information Leakage.
      You must have already enabled this module in Add Modules. See Add and Remove Modules.
    2. Configure these settings.

      Server Information Disclosure

      Enable to detect and erase server specific sensitive information in headers and response page, with no alerts generated.

      Server-specific sensitive information includes information that could reveal known or potential vulnerabilities, such as software name/ version, backend technology frameworks and library versions, error messages, internal IP addresses, and authentication details

      Personally Identifiable Information

      Enable to detect and prevent the exposure of sensitive personal data, such as names, email addresses, and credit card numbers, in HTTP responses. It helps reduce the risk of data leaks by identifying PII patterns and allowing administrators to log, alert, or block such disclosures based on security policies.

      Cloak Error Pages

      Enable to replace HTTP 403 (Forbidden), 404 (Not Found), and 5XX (Server Errors) responses with a generic 500 (Internal Server Error) response.

      This enhances security by preventing attackers from gathering information about your server through specific error responses that distinguish between missing pages, permission issues, or server failures, making it harder to map vulnerabilities.
      You can add multiple HTTP headers in which the sensitive information will be hidden.

      Erase HTTP Headers

      Enable to remove server response HTTP headers.

      You can specify multiple HTTP headers in which the sensitive information will be hidden.

    3. Click +Create Exception Rule (optional).
      You can also configure FortiAppSec Cloud to omit attack signature scans by creating exception rules.
    4. Configure these settings.
      Request Host

      Specify the host value (domain name) to match. For example, www.test.com or api.test.com.

      • If String Match is selected, is selected, enter the host name directly. Wildcards are supported (e.g., *.test.com).
      • If Regular Expression Match is selected, you can define a regex pattern to match one or more hostnames. For details, see Frequently used regular expressions.

      Request URL

      Specify a URL value to match. For example, /testpage.php, which match requests for http://www.test.com/testpage.php.

      • If String Match is selected, ensure the value starts with a forward slash ( / ) (for example, /testpage.php). You can enter a precise URL, such as /floder1/index.htm or use wildcards to match multiple URLs, such as /floder1/* ,or /floder1/*/index.htm.
      • If Regular Expression Match is selected, the value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

      Do not include a domain name because it's by default the domain name of this application.

      Parameter Name

      Specify a parameter name to match. For example, http://www.test.com/testpage.php?a=1, the parameter name is "a".

      Cookie Name

      Specify a cookie name to match. Both String Match and Regular Expression Match are supported.

      JSON Elements

      Specify the name of the JSON element to match. Both String Match and Regular Expression Match are supported.

      Attack Category

      You can select an attack category between:

      • Server Information Disclosure
      • Personally Identifiable Information

      Signature ID

      The ID for the signature applied to the attack.

      Signature Information

      Signature description and examples are listed here. You can select any signature ID for the attack and view the signature details.

      note icon

      You must enable at least one of the following: Request URL or Parameter Name. The request matching the specified URL and/or parameter in exception rule would not be treated as an attack even if it matches a particular signature.

    5. Select the action that FortiAppSec Cloud takes when it detects a violation of the rule from the top right corner.
      To configure the actions, you must first enable the Advanced Configuration in WAF > System Settings > Settings.

      Alert

      Accept the request and generate a log message. To avoid log flooding, the minimum interval between logs is 1 second.

      Erase & Alert

      Hide or remove sensitive information in replies from the web server (sometimes called “cloaking”) and generate a log message. To avoid log flooding, the minimum interval between logs is 1 second.

      Deny & Erase (no log)

      For violations of the Server Information Disclosure, Cloak Error Pages, and the Erase HTTP Headers categories, hide or remove sensitive information in replies from the web server but do not generate log messages.

    6. Click SAVE.

      You can continue creating multiple exception rules for specific attacks.

    Previous
    Next