Fortinet black logo

Administration Guide

Sequence of scans

Sequence of scans

FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped.

You may find the actual scan sequence sometimes is different from what we list below in the scan sequence table. There might be various reasons, for example, for the scans involving the whole request or response packet, its sequence may vary depending on when the packet is fully transferred to FortiWeb. File Security is one of the scan items that involve scanning the whole packet. FortiWeb scans Content-Type: and the body of the file for File Security. While the Content-Type: is scanned instantly, the body of the file may be postponed after the subsequent scans until the whole body of the file is done uploading to FortiWeb.

Please also note that when we talk about scan sequence, it refers to the sequence within the same packet. For example, TCP Connection Number Limit precedes HTTP Request Limit in the scan sequence table. However, if there are two packets containing HTTP traffic and TCP traffic respectively, and the HTTP packet arrives first, FortiWeb thus checks the HTTP Connection Number Limit first.

To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting Syntax-based SQL/XSS injection, instead of blocking the SQL/XSS injection by its syntax, you could log and block the injection by the block list defined in IP List. For details, see each specific feature.

Execution sequence (web protection profile)

Scan/action Involves
Request from client to server
TCP Connection Number Limit (TCP Flood Prevention)
  • Source IP address of the client in the IP layer.
  • Source port of the client in the TCP layer.
Add X-Forwarded-For:
  • X-Forwarded-For:
  • X-Real-IP:
  • X-Forwarded-Proto:
Client Management
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Cookie:
  • Session state
IP List
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Source IP address of the client in the IP layer.

Note: If a source IP is allow listed, subsequent checks will be skipped.

IP Reputation

Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.

Quarantined source IP addresses

Source IP address of the client in the IP layer.

Known Bots
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Source IP address of the client in the IP layer.
Geo IP
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Source IP address of the client in the IP layer.
WebSocket protocol
  • Host:
  • URL in HTTP header
  • Origin:
  • Upgrade:
  • Frame Size/Message Size
  • sec-websocket-extenstions
Add HSTS Header

Strict-Transport-Security:

Protected Server Check

Host:

Allow Method
  • Host:
  • URL in HTTP header
  • Request method in HTTP header

Mobile Application Identification

Token header

HTTP Request Limit/sec (HTTP Flood Prevention)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Cookie:
  • Session state
  • URL in the HTTP header
  • HTTP request body
TCP Connection Number Limit (Malicious IP)
  • Cookie:
  • Session state
  • Source IP address of the client in the IP layer
  • Source port of the client in the TCP layer

HTTP Request Limit/sec (Shared IP) (HTTP Access Limit)

  • ID field of the IP header
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • HTTP request body
HTTP Authentication

Authorization:

Global Object White List
  • Cookie: cookiesession1
  • URL if /favicon.ico, AJAX URL parameters such as __LASTFOCUS, and others as updated by the FortiGuard Security Service.
ADFS Proxy
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Other request headers, especially the X-MS-* headers
  • Parameters in the URL
  • Cookies
URL Access
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Host:
  • URL in HTTP header
  • Source IP of the client in the IP header
Mobile API Protection
  • Host:
  • URL in HTTP header
  • Token header
Padding Oracle Protection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Host:
  • URL in HTTP header
  • Individually encrypted URL, cookie, or parameter
HTTP Protocol Constraints
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Content-Length:
  • Parameter length
  • Body length
  • Header length
  • Header line length
  • Count of Range: header lines
  • Count of cookies

File Parse

  • The body of the file

Note: File parse is a back-end module which serves to parse the uploaded files that will be further scanned by File Security and Web Shell Detection.

File Security
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Content-Type: in PUT and POST requests
  • URL in HTTP header

Web Shell Protection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Content-Type: in PUT and POST requests
Parameter Validation
  • Host:
  • URL in the HTTP header
  • Name, data type, and length

Bot Deception

  • Host:
  • URL in the HTTP header
Machine Learning - Bot Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Host:
  • URL in the HTTP header
  • HTTP version
  • Content-Type:
  • Response status code
  • Request method in HTTP header
  • Referer:
  • User-Agent:
Cross-site request forgery (CSRF) attacks
  • <a href>
  • <form>
Protection for Man-in-the-Browser (MiTB) attacks
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Content-Type:

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL
  • Host:
  • X-Forwarded-For:

XML Protection

  • URL
  • HTTP header
  • Body

JSON Protection

  • URL
  • HTTP header
  • Body
Signatures
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and request body

SQL/XSS Syntax Based Detection

  • Host:
  • Cookie:
  • URL in HTTP header
  • Parameters in URL and request body
Site Publish
  • Host:
  • Cookie:
  • URL of the request for the web application
Hidden Fields Protection
  • Host:
  • URL in the HTTP header
  • Name, data type, and length of <input type="hidden">
Custom Policy
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL in the HTTP header
  • HTTP header
  • Parameter in the URL, or the HTTP header or body

Threshold Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL
  • Host:
  • X-Forwarded-For:
User Tracking
  • Host:
  • Cookie:
  • Parameters in the URL
  • URL in HTTP header
  • HTTP body
  • Client's certificate

API Gateway

  • Host:
  • URL in HTTP header
  • API Key as HTTP parameter in URL
  • API Key as HTTP header
  • Source IP address of the client depending on your configuration of API user
  • Request methods in HTTP header

  • HTTP Referer depending on your configuration of API user

OpenAPI Validation
  • Host:
  • HTTP headers, especially the content-type: headers
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Multipart filename
CORS Protection
  • Host:
  • URL in HTTP header
  • Origin:
  • Request methods in HTTP header
  • HTTP headers including Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Max-Age, Access-Control-Expose-Headers, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, and Access-Control-Allow-Headers.
URL Rewriting (rewriting & redirection)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
Machine Learning - Anomaly Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL in the HTTP header
  • Request method in HTTP header
  • Parameter in the URL, or the HTTP header or body
  • Content-Type:
File Compress Accept-Encoding:
Cookie Security Policy
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • Cookie:
Reply from server to client

Web Socket Protocol
  • Upgrade:
Chunk Decoding
  • Transfer-Encoding
  • Raw body
Web Cache
  • Host:
  • HTTP method
  • Return code
  • URL in the HTTP header
  • Content-Type:
  • HTTP headers
  • Size in kilobytes (KB) of each URL to cache

Bot Deception

  • Host:
  • URL in the HTTP header
Protection for Man-in-the-Browser (MiTB) attacks
  • Status code
  • Response body

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL
  • Host:
  • X-Forwarded-For:
  • HTTP header
  • Custom signature

  • Body
  • The latest HTTP transaction time
  • The response content type
  • Status code

Acceleration

Content-Type:

Signatures
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and body
  • XML in the body of HTTP POST requests
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename (MULTIPART_FORM_DATA_FILENAME)
Hidden Fields Protection
  • Host:
  • URL in the HTTP header
  • Name, data type, and length of <input type="hidden">
Custom Policy
  • HTTP response code
  • Content-Type:
User Tracking
  • Status code
  • HTTP headers
  • HTML body
URL Rewriting (rewriting)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body

URL Encryption

  • Host:
  • URL in HTTP header
  • Referer:
  • Location:
  • Return code
  • Content-Type:
HTTP Header Security
  • HTTP headers

Sequence of scans

Sequence of scans

FortiWeb applies protection rules and performs protection profile scans in the order of execution according to the below table. To understand the scan sequence, read from the top of the table (the first scan/action) toward the bottom (the last scan/action). Disabled scans are skipped.

You may find the actual scan sequence sometimes is different from what we list below in the scan sequence table. There might be various reasons, for example, for the scans involving the whole request or response packet, its sequence may vary depending on when the packet is fully transferred to FortiWeb. File Security is one of the scan items that involve scanning the whole packet. FortiWeb scans Content-Type: and the body of the file for File Security. While the Content-Type: is scanned instantly, the body of the file may be postponed after the subsequent scans until the whole body of the file is done uploading to FortiWeb.

Please also note that when we talk about scan sequence, it refers to the sequence within the same packet. For example, TCP Connection Number Limit precedes HTTP Request Limit in the scan sequence table. However, if there are two packets containing HTTP traffic and TCP traffic respectively, and the HTTP packet arrives first, FortiWeb thus checks the HTTP Connection Number Limit first.

To improve performance, block attackers using the earliest possible technique in the execution sequence and/or the least memory-consuming technique. The blocking style varies by feature and configuration. For example, when detecting Syntax-based SQL/XSS injection, instead of blocking the SQL/XSS injection by its syntax, you could log and block the injection by the block list defined in IP List. For details, see each specific feature.

Execution sequence (web protection profile)

Scan/action Involves
Request from client to server
TCP Connection Number Limit (TCP Flood Prevention)
  • Source IP address of the client in the IP layer.
  • Source port of the client in the TCP layer.
Add X-Forwarded-For:
  • X-Forwarded-For:
  • X-Real-IP:
  • X-Forwarded-Proto:
Client Management
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Cookie:
  • Session state
IP List
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Source IP address of the client in the IP layer.

Note: If a source IP is allow listed, subsequent checks will be skipped.

IP Reputation

Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.

Quarantined source IP addresses

Source IP address of the client in the IP layer.

Known Bots
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Source IP address of the client in the IP layer.
Geo IP
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Source IP address of the client in the IP layer.
WebSocket protocol
  • Host:
  • URL in HTTP header
  • Origin:
  • Upgrade:
  • Frame Size/Message Size
  • sec-websocket-extenstions
Add HSTS Header

Strict-Transport-Security:

Protected Server Check

Host:

Allow Method
  • Host:
  • URL in HTTP header
  • Request method in HTTP header

Mobile Application Identification

Token header

HTTP Request Limit/sec (HTTP Flood Prevention)
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Cookie:
  • Session state
  • URL in the HTTP header
  • HTTP request body
TCP Connection Number Limit (Malicious IP)
  • Cookie:
  • Session state
  • Source IP address of the client in the IP layer
  • Source port of the client in the TCP layer

HTTP Request Limit/sec (Shared IP) (HTTP Access Limit)

  • ID field of the IP header
  • Source IP address of the client depending on your configuration of X-header rules.
    This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • HTTP request body
HTTP Authentication

Authorization:

Global Object White List
  • Cookie: cookiesession1
  • URL if /favicon.ico, AJAX URL parameters such as __LASTFOCUS, and others as updated by the FortiGuard Security Service.
ADFS Proxy
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Other request headers, especially the X-MS-* headers
  • Parameters in the URL
  • Cookies
URL Access
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Host:
  • URL in HTTP header
  • Source IP of the client in the IP header
Mobile API Protection
  • Host:
  • URL in HTTP header
  • Token header
Padding Oracle Protection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Host:
  • URL in HTTP header
  • Individually encrypted URL, cookie, or parameter
HTTP Protocol Constraints
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Content-Length:
  • Parameter length
  • Body length
  • Header length
  • Header line length
  • Count of Range: header lines
  • Count of cookies

File Parse

  • The body of the file

Note: File parse is a back-end module which serves to parse the uploaded files that will be further scanned by File Security and Web Shell Detection.

File Security
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Content-Type: in PUT and POST requests
  • URL in HTTP header

Web Shell Protection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Content-Type: in PUT and POST requests
Parameter Validation
  • Host:
  • URL in the HTTP header
  • Name, data type, and length

Bot Deception

  • Host:
  • URL in the HTTP header
Machine Learning - Bot Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • Host:
  • URL in the HTTP header
  • HTTP version
  • Content-Type:
  • Response status code
  • Request method in HTTP header
  • Referer:
  • User-Agent:
Cross-site request forgery (CSRF) attacks
  • <a href>
  • <form>
Protection for Man-in-the-Browser (MiTB) attacks
  • Host:
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Content-Type:

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL
  • Host:
  • X-Forwarded-For:

XML Protection

  • URL
  • HTTP header
  • Body

JSON Protection

  • URL
  • HTTP header
  • Body
Signatures
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers.
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and request body

SQL/XSS Syntax Based Detection

  • Host:
  • Cookie:
  • URL in HTTP header
  • Parameters in URL and request body
Site Publish
  • Host:
  • Cookie:
  • URL of the request for the web application
Hidden Fields Protection
  • Host:
  • URL in the HTTP header
  • Name, data type, and length of <input type="hidden">
Custom Policy
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL in the HTTP header
  • HTTP header
  • Parameter in the URL, or the HTTP header or body

Threshold Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL
  • Host:
  • X-Forwarded-For:
User Tracking
  • Host:
  • Cookie:
  • Parameters in the URL
  • URL in HTTP header
  • HTTP body
  • Client's certificate

API Gateway

  • Host:
  • URL in HTTP header
  • API Key as HTTP parameter in URL
  • API Key as HTTP header
  • Source IP address of the client depending on your configuration of API user
  • Request methods in HTTP header

  • HTTP Referer depending on your configuration of API user

OpenAPI Validation
  • Host:
  • HTTP headers, especially the content-type: headers
  • URL in HTTP header
  • Request method in HTTP header
  • Parameters in URL
  • Multipart filename
CORS Protection
  • Host:
  • URL in HTTP header
  • Origin:
  • Request methods in HTTP header
  • HTTP headers including Access-Control-Allow-Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Access-Control-Max-Age, Access-Control-Expose-Headers, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, and Access-Control-Allow-Headers.
URL Rewriting (rewriting & redirection)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body
Machine Learning - Anomaly Detection
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL in the HTTP header
  • Request method in HTTP header
  • Parameter in the URL, or the HTTP header or body
  • Content-Type:
File Compress Accept-Encoding:
Cookie Security Policy
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • Cookie:
Reply from server to client

Web Socket Protocol
  • Upgrade:
Chunk Decoding
  • Transfer-Encoding
  • Raw body
Web Cache
  • Host:
  • HTTP method
  • Return code
  • URL in the HTTP header
  • Content-Type:
  • HTTP headers
  • Size in kilobytes (KB) of each URL to cache

Bot Deception

  • Host:
  • URL in the HTTP header
Protection for Man-in-the-Browser (MiTB) attacks
  • Status code
  • Response body

Biometrics Based Detection

  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • URL
  • Host:
  • X-Forwarded-For:
  • HTTP header
  • Custom signature

  • Body
  • The latest HTTP transaction time
  • The response content type
  • Status code

Acceleration

Content-Type:

Signatures
  • Source IP address of the client depending on your configuration of X-header rules. This could be derived from either the SRC field in the IP header, or the X-Forwarded-For: and X-Real-IP: HTTP headers. For details, see Defining your proxies, clients, & X-headers
  • HTTP headers
  • HTML Body
  • URL in HTTP header
  • Parameters in URL and body
  • XML in the body of HTTP POST requests
  • Cookies
  • Headers
  • JSON Protocol Detection
  • Uploaded filename (MULTIPART_FORM_DATA_FILENAME)
Hidden Fields Protection
  • Host:
  • URL in the HTTP header
  • Name, data type, and length of <input type="hidden">
Custom Policy
  • HTTP response code
  • Content-Type:
User Tracking
  • Status code
  • HTTP headers
  • HTML body
URL Rewriting (rewriting)
  • Host:
  • Referer:
  • Location:
  • URL in HTTP header
  • HTML body

URL Encryption

  • Host:
  • URL in HTTP header
  • Referer:
  • Location:
  • Return code
  • Content-Type:
HTTP Header Security
  • HTTP headers