Fortinet black logo

Administration Guide

HTTP Public Key Pinning

HTTP Public Key Pinning

HTTP Pubic Key Pinning (HPKP) is a security feature in which FortiWeb inserts a cryptographic public key in server responses that clients then use to access a server. HPKP prevents attackers from carrying out Man-in-the-Middle (MITM) attacks with forged certificates.

When HPKP is configured, FortiWeb will insert a specified header field into a server's response header that is wrapped in a verified X.509 certificate. The specified header contains a cryptographic public key called a Subject Public Key Information (SPKI) fingerprint that the client will store for a set period of time.

When the client attempts to access the server again, the server will provide a public key that the client recognizes with the public key it received earlier. If the client does not recognize the public key that the server provides in its response, FortiWeb will generate a report and can deny the request.

HPKP is supported when FortiWeb is in Reverse Proxy and True Transparent Proxy mode.

To configure an HPKP profile
  1. Go to System > Certificates > Public Key Pinning.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:
  4. Name

    Enter a name for the HPKP profile. You will use this name to select the profile in other parts of the configuration. The maximum length is 63 characters.

    PIN-SHA256

    Enter a Base64 encoded SPKI fingerprint. Enter at least two pins, and at most five pins. At least one pin servers as a backup and must not refer to an SPKI fingerprint in a current certificate chain.

    Max Age

    Enter an interval (in seconds) in which the client will use the SPKI fingerprint to attempt to access the server. The valid range is 0–31536000; the default value is 1296000. If you enter a value of 0, the cached pinning policy information will be removed.

    Include Subdomains

    Optionally, enable this setting to apply the public key pinning rule to all of the server's subdomains.

    Report URI

    Optionally, enter a URI to which FortiWeb will send pin validation failures.

    Report Only

    Enable so that FortiWeb sends reports to the specified Report URI, if any, and allows the client to connect to the server when there is a pin validation failure.

    Disable so that FortiWeb sends reports to the specified Report URI, if any, and prevents the client from connecting to the server when there is a pin validation failure.

  5. Click OK.
To enable HPKP in Reverse Proxy mode
  1. Go to Policy > Server Policy.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. Modify an existing server policy or create a new one.
    To modify an existing server policy, select the policy and click Edit.
  3. Note: You will have to select an HTTPS Service if it is not already configured.

    To create a new policy, click Create New.

  4. For HTTPS Service, select either HTTP or HTTPS according to your environment's needs.
  5. Click Show advanced SSL settings.
  6. For Add HPKP Header, select a configured HPKP profile.
  7. When you are finished configuring the policy, click OK.
To enable HPKP in True Transparent Proxy mode
  1. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. Modify an existing server pool or create a new one.
    To modify an existing True Transparent Proxy type server pool, select it and click Edit.
    To create a new server pool, click Create New and select True Transparent Proxy for the server pool type. Optionally, leave a description for the server pool in the Comments text box, and click OK when you are finished.
  3. Edit an existing server pool rule or create a new one.
    To edit an existing rule, select it and click Edit.
    Note: You will have to enable SSL if it is not already enabled.
    To create a new rule, click Create New.
  4. Enable SSL.
  5. Click Show advanced SSL settings.
  6. For Add HPKP Header, select a configured HPKP profile.
  7. When you are finished configuring the rule, click OK.

HTTP Public Key Pinning

HTTP Public Key Pinning

HTTP Pubic Key Pinning (HPKP) is a security feature in which FortiWeb inserts a cryptographic public key in server responses that clients then use to access a server. HPKP prevents attackers from carrying out Man-in-the-Middle (MITM) attacks with forged certificates.

When HPKP is configured, FortiWeb will insert a specified header field into a server's response header that is wrapped in a verified X.509 certificate. The specified header contains a cryptographic public key called a Subject Public Key Information (SPKI) fingerprint that the client will store for a set period of time.

When the client attempts to access the server again, the server will provide a public key that the client recognizes with the public key it received earlier. If the client does not recognize the public key that the server provides in its response, FortiWeb will generate a report and can deny the request.

HPKP is supported when FortiWeb is in Reverse Proxy and True Transparent Proxy mode.

To configure an HPKP profile
  1. Go to System > Certificates > Public Key Pinning.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the System Configuration category. For details, see Permissions.
  2. Click Create New.
  3. Configure these settings:
  4. Name

    Enter a name for the HPKP profile. You will use this name to select the profile in other parts of the configuration. The maximum length is 63 characters.

    PIN-SHA256

    Enter a Base64 encoded SPKI fingerprint. Enter at least two pins, and at most five pins. At least one pin servers as a backup and must not refer to an SPKI fingerprint in a current certificate chain.

    Max Age

    Enter an interval (in seconds) in which the client will use the SPKI fingerprint to attempt to access the server. The valid range is 0–31536000; the default value is 1296000. If you enter a value of 0, the cached pinning policy information will be removed.

    Include Subdomains

    Optionally, enable this setting to apply the public key pinning rule to all of the server's subdomains.

    Report URI

    Optionally, enter a URI to which FortiWeb will send pin validation failures.

    Report Only

    Enable so that FortiWeb sends reports to the specified Report URI, if any, and allows the client to connect to the server when there is a pin validation failure.

    Disable so that FortiWeb sends reports to the specified Report URI, if any, and prevents the client from connecting to the server when there is a pin validation failure.

  5. Click OK.
To enable HPKP in Reverse Proxy mode
  1. Go to Policy > Server Policy.
    To access this part of the web UI, your administrator account’s access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. Modify an existing server policy or create a new one.
    To modify an existing server policy, select the policy and click Edit.
  3. Note: You will have to select an HTTPS Service if it is not already configured.

    To create a new policy, click Create New.

  4. For HTTPS Service, select either HTTP or HTTPS according to your environment's needs.
  5. Click Show advanced SSL settings.
  6. For Add HPKP Header, select a configured HPKP profile.
  7. When you are finished configuring the policy, click OK.
To enable HPKP in True Transparent Proxy mode
  1. Go to Server Objects > Server > Server Pool.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Server Policy Configuration category. For details, see Permissions.
  2. Modify an existing server pool or create a new one.
    To modify an existing True Transparent Proxy type server pool, select it and click Edit.
    To create a new server pool, click Create New and select True Transparent Proxy for the server pool type. Optionally, leave a description for the server pool in the Comments text box, and click OK when you are finished.
  3. Edit an existing server pool rule or create a new one.
    To edit an existing rule, select it and click Edit.
    Note: You will have to enable SSL if it is not already enabled.
    To create a new rule, click Create New.
  4. Enable SSL.
  5. Click Show advanced SSL settings.
  6. For Add HPKP Header, select a configured HPKP profile.
  7. When you are finished configuring the rule, click OK.