waf http-header-security

Use this command to insert special HTTP response headers to protect clients from certain attacks, including XSS, clickjacking, and MIME sniffing attacks. The special HTTP response headers define security policies to client browsers so that the browsers avoid exposure to known vulnerabilities when handling requests.

For more information on HTTP Header Security, see the FortiWeb Administration Guide:

https://docs.fortinet.com/document/fortiweb

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config waf http-header-security

edit "<HTTP-header-security_name>"

config HTTP-header-security-list

set name {x-frame-options | x-content-type-options | x-xss-protection | content-security-policy | feature-policy | permissions-policy | referrer-policy | cross-origin-resource-policy | cross-origin-embedder-policy | cross-origin-opener-policy | clear-site-data | timing-allow-origin | content-security-policy-report-only}

set value {nosniff | allow-from | deny | sameorigin | sanitizing-mode | block-mode}

set waf http-header-security

set allow-from-source "<allow-from_str>"

set request-type {plain | regular}

set request-file "<request-file_str>"

set request-status {enable | disable}

set client-ip-filter-status {enable | disable}

set client-ip < client ip_range>

set header-filter-status {enable | disable}

set header-filter-name <header name>

set header-filter-type {plain | regular}

set header-filter-value <header value>

end

Variable	Description	Default
"<HTTP-header-security_name>"	Enter of name of an HTTP header security policy. The maximum length is 63 characters.	No default.
request-status {enable \| disable}	Enable to set a URL Filter.	`disable`
request-type {plain \| regular}	Defines the Request URL Type as a simple string (plain) or a regular expression (regular) for the URL Filter. Available only if request-status {enable \| disable} is set to `enable`.	No default.
request-file "<request-file_str>"	Sets the Request URL for the URL Filter. Available only if request-status {enable \| disable} is set to `enable`.	No default.
<entry-index_int>	Creates or edits a Secure Header Rule in the selected HTTP Header Security Policy.	No default.
name {x-frame-options \| x-content-type-options \| x-xss-protection \| content-security-policy \| feature-policy \| permissions-policy \| referrer-policy \| cross-origin-resource-policy \| cross-origin-embedder-policy \| cross-origin-opener-policy \| clear-site-data \| timing-allow-origin \| content-security-policy-report-only}	Specifies the HTTP security header type to configure in this Secure Header Rule. The following types are supported: x-frame-options – Prevents Clickjacking by restricting how your site can be embedded in frames. Supports values: `DENY`, `SAMEORIGIN`, and `ALLOW-FROM`. x-content-type-options – Prevents MIME sniffing attacks by disabling the browser's content-type guessing. Use `nosniff`. x-xss-protection – Enables the browser’s built-in XSS filtering. Supports sanitizing or blocking modes. content-security-policy – Adds a Content-Security-Policy header to control the sources of content that can be loaded, helping prevent XSS and injection attacks. feature-policy – Allows or denies the use of browser features (e.g., camera, fullscreen, geolocation) in the page and embedded iframes. permissions-policy – Replaces feature-policy and provides the same control over browser feature access. Recommended for new configurations. referrer-policy – Controls how much referrer information is included in outbound requests. Supports values like `no-referrer`, `origin`, `same-origin`, and others. cross-origin-resource-policy (CORP) – Restricts which origins can load resources, enforcing same-origin or same-site rules. cross-origin-embedder-policy (COEP) – Requires embedded cross-origin resources to send valid CORS or CORP headers. Needed for features like SharedArrayBuffer. cross-origin-opener-policy (COOP) – Isolates browsing context from popups or tabs to prevent cross-origin access and side-channel attacks. clear-site-data – Instructs the browser to clear cookies, local storage, cache, or all data types. Supports values like `"cookies"`, `"storage"`, `"cache"`, `""`. timing-allow-origin* – Specifies which origins can access high-resolution performance timing data. Use a specific trusted origin. content-security-policy-report-only – Adds a Content-Security-Policy header in report-only mode. Use this for testing policy enforcement without blocking violations.	No default.
value {nosniff \| allow-from \| deny \| sameorigin \| sanitizing-mode \| block-mode}	Defines the response according to the defined Secure Header Type. The `x-frame-options` header can be implemented with one of the following options: `deny`—The browser will not allow any frame to be displayed. `sameorigin`—The browser will not allow a frame to be displayed unless the page of the frame originated from the same site. `allow-from`—The browser will not allow a frame to be displayed unless the page of the frame originated from the specified domain. The `x-content-type-options` header can be implemented with one option: `nosniff`—The browser will not guess any content type that is not explicitly specified when downloading extensions. The `x-xss-protection` header can be implemented with one of the following options: `sanitizing-mode`—The browser will sanitize the malicious scripts when a XSS attack is detected. `block-mode`—The browser will block the page when a XSS attack is detected.	No default.
allow-from-source "<allow-from_str>"	Sets the specified domain if the name {x-frame-options \| x-content-type-options \| x-xss-protection \| content-security-policy \| feature-policy \| permissions-policy \| referrer-policy \| cross-origin-resource-policy \| cross-origin-embedder-policy \| cross-origin-opener-policy \| clear-site-data \| timing-allow-origin \| content-security-policy-report-only} is `x-frame-options` and the Header Value is set to `allow-from`.	No default.
client-ip-filter-status {enable \| disable}	Enable this to restrict the security header to specific client IP addresses.	`disable`
client-ip < client ip_range>	If the IP Filter is enabled, specify the single IP or range of addresses that should trigger the header.	No default.
header-filter-status {enable \| disable}	Enable this to trigger the security header based on the presence or value of an incoming request header.	`disable`
header-filter-name <header name>	Enter the name of the incoming HTTP header to check (e.g., `Cookie`).	No default.
header-filter-type {plain \| regular}	Choose between plain for exact matches or Regular for advanced pattern matching.	`plain`
header-filter-value <header value>	Enter the specific value that must be matched in the request header to trigger the security response.	No default.

Example

This example creates a HTTP header security policy.

config waf HTTP-header-security

edit HTTP_header_security1

set request-status enable

set request-type plain

set request-file "/bWAPP/clickjacking.php"

config HTTP-header-security-list

edit 1

set name x-content-type-options

set value nosniff

edit 2

set name x-frame-options

set value deny

edit 3

set name x-xss-protection

set value block-mode

end