Skip to main content
bkashava
Staff
bkashava
Staff
March 17, 2026

Technical Tip: Backend response changes depending on presence of 'X-Requested-With' header when traffic passes through FortiWeb

  • March 17, 2026
  • 0 replies
  • 121 views

Description

This article describes a scenario where a web application returns different response content types when accessed through FortiWeb. The backend application may return application/json when the request contains the header X-Requested-With: XMLHttpRequest, but return text/html when the header is absent. This behavior can cause application functions, such as buttons or dynamic content loading, to fail because the frontend expects a JSON response.

Scope

FortiWeb.

Solution

In some web applications, backend logic determines whether a request is an AJAX request by checking for the HTTP header: X-Requested-With: XMLHttpRequest.

If the header is present, the backend returns a JSON response. If the header is not present, the backend returns a full HTML page instead. When accessing the application through FortiWeb, the browser request may not include this header. As a result, the backend application returns HTML rather than JSON, which may cause parts of the frontend application to stop functioning. The following validation tests demonstrate this behavior.

  • Test without the header:

 

1.png

 

  • Test with the header:

 

2.png

 

These tests confirm that the backend application changes the response type depending on whether the X-Requested-With header is present. FortiWeb forwards the request as received from the client and does not modify the Content-Type header in this scenario. Possible causes include the following:

  1. The frontend application does not include the X-Requested-With header when requests are generated through the public domain.

  2. The backend application relies on the X-Requested-With header to determine whether the request expects a JSON response.

  3. Browser request context changes, such as protocol or domain differences, alter how the frontend application generates requests.

 

FortiWeb workaround.

FortiWeb can insert the header before forwarding the request to the backend using a URL rewrite rule. Example configuration:

config waf url-rewrite url-rewrite-rule
edit "inject_ajax_header"
set action HTTP-header-rewrite
config header-insert
edit 1
set header-name "X-Requested-With"
set header-value "XMLHttpRequest"
next
end
set request-replace-existing-headers enable
config match-condition
edit 1
set object HTTP-url
set reg-exp "^/fr/boutique"
next
end
next
end

 

The rule can then be added to a URL rewrite policy applied to the relevant web protection profile. This configuration inserts the X-Requested-With: XMLHttpRequest header for matching requests, allowing the backend application to return the expected JSON response. As a best practice, the header rewrite should be scoped only to the relevant API paths to avoid affecting other application requests.

Related document:
waf url-rewrite url-rewrite-rule

    Terms & ConditionsAccessibility statement