Fortinet black logo

Administration Guide

Link cloaking

Link cloaking

To prevent web pages in your application from being scanned by web crawlers and scanning software, you can use link cloaking to transform the fixed links to automatically generated links by JavaScript codes. For example, <a href="https://www.google.com" target="blank" class="button"> will be transformed to <a id="fwb_4069875712" target="blank" class="button"> so that the crawlers can't recognize it. When the link is loaded in the client's browser, it will be re-converted to the original link.

Link cloaking supports processing the following link tags: <a>, <form>, <img>, <link>, and <object>.

FortiWeb has a similar feature which processes URL links, that is, URL Encryption. URL Encryption doesn't deal with the link tags, instead, it encrypts the link itself. For example, <a href="HTTPs://example/login"> will be transformed to <a href="EncryptedCode"> by URL Encryption. It can't prevent the links from being scanned by web crawlers because the link tag href is still there.

To configure a link cloaking rule:

  1. Go to Web Protection > Advanced Protection > Link Cloaking.
  2. Select Link Cloaking Rule.
  3. Configure the following settings.
    NameEnter a name for the rule.
    Host StatusEnable to require that the Host: field of the HTTP request matches a protected host name entry in order to match the link cloaking rule.
    HostSelect the protected host names entry (either a web host name or a IP address) that the Host: field of the HTTP request must be in to match the rule.
    Type

    Select whether the URL Pattern field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.

    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    URL Pattern

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

  4. Click OK.
  5. If you want to exclude certain links from Link Cloaking, click Create New to add it in the Exception List. Then type a literal URL or use regular expression to match multiple URLs.

To configure a Link Cloaking policy:

  1. Go to Web Protection > Advanced Protection > Link Cloaking
  2. Select Link Cloaking Policy.
  3. Enter a name for the Link Cloaking policy.
  4. Click OK.
  5. Click Create New to add Link Cloaking rules in the policy.
  6. Select the Link Cloaking rule.
  7. Click OK.

To use this policy, you need to refer it in a web protection profile.

Link cloaking

To prevent web pages in your application from being scanned by web crawlers and scanning software, you can use link cloaking to transform the fixed links to automatically generated links by JavaScript codes. For example, <a href="https://www.google.com" target="blank" class="button"> will be transformed to <a id="fwb_4069875712" target="blank" class="button"> so that the crawlers can't recognize it. When the link is loaded in the client's browser, it will be re-converted to the original link.

Link cloaking supports processing the following link tags: <a>, <form>, <img>, <link>, and <object>.

FortiWeb has a similar feature which processes URL links, that is, URL Encryption. URL Encryption doesn't deal with the link tags, instead, it encrypts the link itself. For example, <a href="HTTPs://example/login"> will be transformed to <a href="EncryptedCode"> by URL Encryption. It can't prevent the links from being scanned by web crawlers because the link tag href is still there.

To configure a link cloaking rule:

  1. Go to Web Protection > Advanced Protection > Link Cloaking.
  2. Select Link Cloaking Rule.
  3. Configure the following settings.
    NameEnter a name for the rule.
    Host StatusEnable to require that the Host: field of the HTTP request matches a protected host name entry in order to match the link cloaking rule.
    HostSelect the protected host names entry (either a web host name or a IP address) that the Host: field of the HTTP request must be in to match the rule.
    Type

    Select whether the URL Pattern field must contain either:

    • Simple String—The field is a string that the request URL must match exactly.

    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    URL Pattern

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

  4. Click OK.
  5. If you want to exclude certain links from Link Cloaking, click Create New to add it in the Exception List. Then type a literal URL or use regular expression to match multiple URLs.

To configure a Link Cloaking policy:

  1. Go to Web Protection > Advanced Protection > Link Cloaking
  2. Select Link Cloaking Policy.
  3. Enter a name for the Link Cloaking policy.
  4. Click OK.
  5. Click Create New to add Link Cloaking rules in the policy.
  6. Select the Link Cloaking rule.
  7. Click OK.

To use this policy, you need to refer it in a web protection profile.