Fortinet black logo

Administration Guide

HTTP Security Headers

HTTP Security Headers

HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

When FortiWeb's HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb can insert into responses:

FortiWeb security headers
X-Frame-Options

This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

The X-Frame-Options header can be implemented with one of the following options:

  • DENY: The browser will not allow any frame to be displayed.
  • SAMEORIGIN: The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
  • ALLOW-FROM: The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.
X-Content-Type-Options

This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

The X-Content-Type-Options header can be implemented with one option:

  • nosniff: The browser will not guess any content type that is not explicitly specified when downloading extensions.
X-XSS-Protection

This header enables a browser's built-in Cross-site scripting (XSS) protection.

The X-XSS-Protection header can be implemented with one of the following options:

  • Sanitizing Mode: The browser will sanitize the malicious scripts when a XSS attack is detected.
  • Block Mode: The browser will block the page when a XSS attack is detected.
Content-Security-Policy

FortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.

Feature-Policy

Provide a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

For example, fullscreen 'self' HTTPs://game.com

HTTPs://map.example.com;geolocation *; camera 'none'

Referrer-Policy

Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

To configure an HTTP header security policy
  1. Go to Web Protection > Advanced Protection > HTTP Header Security and select an existing policy or create a new one. If creating a new policy, the maximum length of the name is 63 characters; special characters are prohibited.
  2. If you created a new policy, click OK to save it. If editing an existing policy, select it and click Edit.
  3. Select an existing rule to edit or create a new one in Secure Header Table.
  4. Configure these settings:
  5. URL Filter

    Click to enable or disable URL filter:

    • Enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified Request URL.
    • Disable: All responses will be processed with the selected security header(s).
    Request URL Type

    Select Simple String to match the URL of requests with a literal URL specified in Request URL.

    Select Regular Expression to match the URL of requests with a regular expression specified in Request URL.

    Note: this is available only when URL Filter is enabled.

    Request URL

    Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

    if Simple String is selected in Request URL Type, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    If Regular Expression is selected, enter a regular expression.

    After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

    Note: this is available only when URL Filter is enabled.

    Secure Header Type

    Select the security header to be inserted into the responses.

    • X-Frame-Options
    • X-Content-Type-Options
    • X-XSS-Protection
    • Content-Security-Policy
    • Feature-Policy
    • Referrer-Policy

    For details, see FortiWeb security headers.

    Header Value

    Select the value for the selected security header.

    If X-Frame-Options is selected, the options will be:

    • DENY
    • SAMEORIGIN
    • ALLOW-FROM

    If X-Content-Type-Options is selected, the option will be:

    • nosniff

    If X-XSS-Protection is selected, the options will be:

    • Sanitizing Mode
    • Block Mode

    If Content-Security-Policy is selected, enter the header value(s) that your server will specify to set restrictions on resource types and sources. For example, you could enter default-src 'self';script-src 'self';object-src 'self'.

    For details, see FortiWeb security headers"FortiWeb security headers" FortiWeb security headers.

    Allowed From URL

    It will require you to specify a URI (Uniform Resource Identifier) if header X-Frame-Options and the option ALLOW-FROM are selected.

    For details, see FortiWeb security headers.

  6. Click OK to save the configuration.
  7. To use this HTTP Header Security policy in a protection profile, go to Policy > Web Protection Profile and configure an inline protection profile with the HTTP Header Security policy. For details, see HTTP Header Security.

HTTP Security Headers

HTTP response security headers are a set of standard HTTP response headers proposed to prevent or mitigate known XSS, clickjacking, and MIME sniffing security vulnerabilities. These response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

When FortiWeb's HTTP Security Headers feature is enabled, headers with specified values are inserted into HTTP responses coming from the backend web servers. This is a quick and simple solution to address the security vulnerabilities on your website without code and configuration changes. The following includes the security headers that FortiWeb can insert into responses:

FortiWeb security headers
X-Frame-Options

This header prevents browsers from Clickjacking attacks by providing appropriate restrictions on displaying pages in frames.

The X-Frame-Options header can be implemented with one of the following options:

  • DENY: The browser will not allow any frame to be displayed.
  • SAMEORIGIN: The browser will not allow a frame to be displayed unless the page of the frame originated from the same site.
  • ALLOW-FROM: The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain.
X-Content-Type-Options

This header prevents browsers from MIME content-sniffing attacks by disabling the browser's MIME sniffing function.

The X-Content-Type-Options header can be implemented with one option:

  • nosniff: The browser will not guess any content type that is not explicitly specified when downloading extensions.
X-XSS-Protection

This header enables a browser's built-in Cross-site scripting (XSS) protection.

The X-XSS-Protection header can be implemented with one of the following options:

  • Sanitizing Mode: The browser will sanitize the malicious scripts when a XSS attack is detected.
  • Block Mode: The browser will block the page when a XSS attack is detected.
Content-Security-Policy

FortiWeb adds the Content-Security-Policy HTTP header to a web page, allowing you to specify restrictions on resource types and sources. This prevents certain types of attacks, including XSS and data injection attacks.

Feature-Policy

Provide a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

For example, fullscreen 'self' HTTPs://game.com

HTTPs://map.example.com;geolocation *; camera 'none'

Referrer-Policy

Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

The value of Referrer-Policy can be "no-referrer", "no-referrer-when-downgrade", "same-origin", "origin", "strict-origin", "origin-when-cross-origin", "strict-origin-when-cross-origin", or "unsafe-url".

To configure an HTTP header security policy
  1. Go to Web Protection > Advanced Protection > HTTP Header Security and select an existing policy or create a new one. If creating a new policy, the maximum length of the name is 63 characters; special characters are prohibited.
  2. If you created a new policy, click OK to save it. If editing an existing policy, select it and click Edit.
  3. Select an existing rule to edit or create a new one in Secure Header Table.
  4. Configure these settings:
  5. URL Filter

    Click to enable or disable URL filter:

    • Enable: Responses to the request will be processed with the security headers only if the URL of a request matches the specified Request URL.
    • Disable: All responses will be processed with the selected security header(s).
    Request URL Type

    Select Simple String to match the URL of requests with a literal URL specified in Request URL.

    Select Regular Expression to match the URL of requests with a regular expression specified in Request URL.

    Note: this is available only when URL Filter is enabled.

    Request URL

    Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

    if Simple String is selected in Request URL Type, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    If Regular Expression is selected, enter a regular expression.

    After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Regular expression syntax.

    Note: this is available only when URL Filter is enabled.

    Secure Header Type

    Select the security header to be inserted into the responses.

    • X-Frame-Options
    • X-Content-Type-Options
    • X-XSS-Protection
    • Content-Security-Policy
    • Feature-Policy
    • Referrer-Policy

    For details, see FortiWeb security headers.

    Header Value

    Select the value for the selected security header.

    If X-Frame-Options is selected, the options will be:

    • DENY
    • SAMEORIGIN
    • ALLOW-FROM

    If X-Content-Type-Options is selected, the option will be:

    • nosniff

    If X-XSS-Protection is selected, the options will be:

    • Sanitizing Mode
    • Block Mode

    If Content-Security-Policy is selected, enter the header value(s) that your server will specify to set restrictions on resource types and sources. For example, you could enter default-src 'self';script-src 'self';object-src 'self'.

    For details, see FortiWeb security headers"FortiWeb security headers" FortiWeb security headers.

    Allowed From URL

    It will require you to specify a URI (Uniform Resource Identifier) if header X-Frame-Options and the option ALLOW-FROM are selected.

    For details, see FortiWeb security headers.

  6. Click OK to save the configuration.
  7. To use this HTTP Header Security policy in a protection profile, go to Policy > Web Protection Profile and configure an inline protection profile with the HTTP Header Security policy. For details, see HTTP Header Security.