Fortinet black logo

Administration Guide

Specifying allowed HTTP methods

Specifying allowed HTTP methods

You can configure policies that allow only specific HTTP request methods. This can be useful for preventing attacks, such as those exploiting the HTTP method TRACE.

Some popular web applications such as Subversion, CalDAV, and WebDAV require custom or less common HTTP methods. While developing web applications, the HTTP method TRACE may be useful, but in production environments, it may disclose sensitive information to attackers. Many web applications only require GET and POST. Disabling all unused methods reduces the potential attack surface area for attackers.

Generally, TRACE should only be used during debugging, and should be disabled otherwise.
To configure an HTTP request method policy
  1. If you want to include method exceptions in a policy, create them first. For details, see Configuring allowed method exceptions.
  2. Go to Web Protection > Access > Allow Method and select the Allow Method Policy tab.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  4. Click Create New.
  5. Configure these settings:
  6. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.

    Override Header/
    Override Parameter

    When Override Header or Override Parameter settings are enabled, FortiWeb should check methods from these headers or parameters as well as the HTTP method used in the actual request. If any of the methods are not in the allowed method list, FortiWeb should deny the request.

    Allow Request

    Mark the check boxes for all HTTP request methods that you want to allow for this specific policy.

    Methods that you do not select will be denied, unless specifically allowed for a host and/or URL in the selected Allow Method Exceptions.

    The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 4918; HTTP://tools.ietf.org/html/rfc4918) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is High.

    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
    Allow Method Exceptions

    Select an HTTP request method exception definition to apply to the policy. The method exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.

    If you want to view the information associated with the HTTP request method exceptions used by this policy, select the Detail link beside the Allow Method Exceptions list. The Allow Method Exceptions dialog appears. Use the browser Back button to return.

    For details, see Configuring allowed method exceptions.

  7. Click OK.
  8. To apply the allowed method policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
See also

Configuring allowed method exceptions

You can configure exceptions to allowed HTTP method policies.

While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.

To configure an allowed method exception
  1. Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names.
  2. Go to Web Protection > Access > Allow Method and select the Allow Method Exceptions tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  5. Click OK.
  6. Click Create New to add an entry to the set.
  7. Configure these settings:
    Host StatusEnable to require that the Host: field of the HTTP request match a protected host names entry in order to match the allowed method exception. Also configure Host.
    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the allowed method exception.

    This option is available only if Host Status is enabled.

    TypeSelect whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression.
    URL Pattern

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm, that is an exception to the generally allowed HTTP request methods , or use wildcards, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.

      For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Allow Method Exception

    Mark the check boxes of all HTTP request methods that you want to allow.

    Methods that you do not select will be denied.

    The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 4918; HTTP://tools.ietf.org/html/rfc4918) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY.

  8. Click OK.
  9. Repeat the previous steps for each exception that you want to add to the allowed method exceptions.
  10. To apply the allowed method exception, select it in an allowed method policy. For details, see Specifying allowed HTTP methods.
See also

Specifying allowed HTTP methods

You can configure policies that allow only specific HTTP request methods. This can be useful for preventing attacks, such as those exploiting the HTTP method TRACE.

Some popular web applications such as Subversion, CalDAV, and WebDAV require custom or less common HTTP methods. While developing web applications, the HTTP method TRACE may be useful, but in production environments, it may disclose sensitive information to attackers. Many web applications only require GET and POST. Disabling all unused methods reduces the potential attack surface area for attackers.

Generally, TRACE should only be used during debugging, and should be disabled otherwise.
To configure an HTTP request method policy
  1. If you want to include method exceptions in a policy, create them first. For details, see Configuring allowed method exceptions.
  2. Go to Web Protection > Access > Allow Method and select the Allow Method Policy tab.
  3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

  4. Click Create New.
  5. Configure these settings:
  6. Name Type a unique name that can be referenced in other parts of the configuration. The maximum length is 63 characters.

    Override Header/
    Override Parameter

    When Override Header or Override Parameter settings are enabled, FortiWeb should check methods from these headers or parameters as well as the HTTP method used in the actual request. If any of the methods are not in the allowed method list, FortiWeb should deny the request.

    Allow Request

    Mark the check boxes for all HTTP request methods that you want to allow for this specific policy.

    Methods that you do not select will be denied, unless specifically allowed for a host and/or URL in the selected Allow Method Exceptions.

    The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 4918; HTTP://tools.ietf.org/html/rfc4918) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY.

    Severity

    When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

    • Informative
    • Low
    • Medium
    • High

    The default value is High.

    Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. For details, see Viewing log messages.
    Allow Method Exceptions

    Select an HTTP request method exception definition to apply to the policy. The method exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.

    If you want to view the information associated with the HTTP request method exceptions used by this policy, select the Detail link beside the Allow Method Exceptions list. The Allow Method Exceptions dialog appears. Use the browser Back button to return.

    For details, see Configuring allowed method exceptions.

  7. Click OK.
  8. To apply the allowed method policy, select it in an inline or Offline Protection profile. For details, see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation.
See also

Configuring allowed method exceptions

You can configure exceptions to allowed HTTP method policies.

While most URL and host name combinations controlled by a profile may require similar HTTP request methods, you may have some that require different methods. Instead of forming separate policies and profiles for those requests, you can configure allowed method exceptions. The exceptions define specific HTTP request methods that are allowed by specific URLs and hosts.

To configure an allowed method exception
  1. Before you configure an allowed method exception, if you want to apply it only to HTTP requests for a specific real or virtual host, you must first define the web host in a protected host names group. For details, see Defining your protected/allowed HTTP “Host:” header names.
  2. Go to Web Protection > Access > Allow Method and select the Allow Method Exceptions tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. In Name, type a unique name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
  5. Click OK.
  6. Click Create New to add an entry to the set.
  7. Configure these settings:
    Host StatusEnable to require that the Host: field of the HTTP request match a protected host names entry in order to match the allowed method exception. Also configure Host.
    Host

    Select which protected host names entry (either a web host name or IP address) that the Host: field of the HTTP request must be in to match the allowed method exception.

    This option is available only if Host Status is enabled.

    TypeSelect whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression.
    URL Pattern

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm, that is an exception to the generally allowed HTTP request methods , or use wildcards, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php, matching all and only the URLs which are exceptions to the generally allowed HTTP request methods. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as /index.cfm.

      For example, if multiple URLs on a host have identical HTTP request method requirements, you would type a regular expression matching all of and only those URLs.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Allow Method Exception

    Mark the check boxes of all HTTP request methods that you want to allow.

    Methods that you do not select will be denied.

    The OTHERS option includes methods not specifically named in the other options. It often may be required by WebDAV (RFC 4918; HTTP://tools.ietf.org/html/rfc4918) applications such as Microsoft Exchange Server 2003 and Subversion, which may require HTTP methods not commonly used by web browsers, such as PROPFIND and BCOPY.

  8. Click OK.
  9. Repeat the previous steps for each exception that you want to add to the allowed method exceptions.
  10. To apply the allowed method exception, select it in an allowed method policy. For details, see Specifying allowed HTTP methods.
See also