waf client-side-protection-policy

Use this command to configure a Client-Side Protection policy.

Client-Side Protection enables browser-level threat detection by monitoring JavaScript execution and DOM activity in real time. Unlike traditional WAF features that inspect only HTTP traffic, this feature inserts a JavaScript collector or performs passive HTML analysis to detect in-browser threats such as script injection, credential theft, and DOM manipulation.

Client-Side Protection is designed to mitigate risks highlighted in the OWASP Top 10 for client-side security and works in conjunction with static mechanisms like HTTP security headers and Subresource Integrity.

After defining the policy, you must assign it to an inline Web Protection Profile and apply that profile to a Server Policy. To activate enforcement, the Web Protection Profile must also include an HTTP Header Security policy and a Subresource Integrity Check policy.

Before You Begin:

• A valid license for the Client-Side Protection service is required. Without it, the feature is unavailable in both the CLI and GUI.

• Ensure that HTTP Header Security and Subresource Integrity Check policies are configured, as they are required for this feature to operate when applied in a Web Protection Profile.

Syntax

config waf client-side-protection-policy

edit <name>

set host-status {enable|disable}

set host <string>

set js-collector {enable|disable}

set url-type {plain|regular}

set url-pattern <string>

set collect-ip-range <ip_range>

set passive-assessment {enable|disable}

next

end

Variable	Description	Default
<name>	Enter a name for the policy.	No default
host-status {enable|disable}	Enable to apply the policy only to requests for a specific host. Useful in multi-tenant or multi-site deployments.	disable
host <string>	Define the hostname to match when Host Status is enabled.	No default
js-collector {enable|disable}	Enables or disables injection of the JavaScript collector into eligible HTTP responses. This option is available only through the CLI; in the GUI, the collector is always enabled and cannot be turned off. The JavaScript collector captures detailed browser-side telemetry, including: Script execution DOM changes Access to cookies or local storage If disabled, FortiWeb will no longer collect this dynamic behavioral data. The Client-Side Protection dashboard will instead display only static attributes—such as known file hashes, sizes, or CVE references. This option is intended for specialized environments where script injection must be avoided. It should be used with caution, as disabling it significantly reduces visibility and enforcement capabilities.	enable
url-type {plain|regular}	Specify the URL matching method: plain — use a simple string for an exact match with a static path. regular — use a regular expression pattern to match with regex syntax.	plain
url-pattern <string>	Enter the URL or pattern to target for monitoring.	No default
collect-ip-range <ip_range>	Define a set of client IP addresses from which JavaScript activity will be collected. In Monitor mode, only clients in this range will trigger data collection and enforcement logic.	No default
passive-assessment {enable|disable}	Enable passive HTML analysis of script and resource elements (e.g., <script>, <iframe>, <form>) to identify unauthorized or modified third-party content without relying on JavaScript injection. This is disabled by default.	disable

Example

config waf client-side-protection-policy
    edit csp_policy_1
        set host-status enable
        set host www.example.com
        set js-collector enable
        set url-type plain
        set url-pattern /secure/
        set collect-ip-range 192.168.1.0/24
        set passive-assessment disable
    next
end