Staff

Technical Tip: Enable and verify the HSTS header response feature in FortiWeb

Forum|Forum|1 year ago
June 4, 2025
0 replies
610 views

Description

This article describes the FortiWeb Add HSTS header feature in the HTTP 500 return code blocking page

Scope

FortiWeb v7.0.1 or above

Solution

In FortiWeb older legacy firmware versions, the HSTS header feature would return the HSTS response header to the users in the normal webpage only but not the FortiWeb attack blocking page. The issue was resolved in v7.0.1, whereby the HSTS header feature shall also add the HSTS response header to the attack blocking page (HTTP return code 500).

To check if the HSTS header is enabled in Server Policy, navigate to the Advanced SSL settings in the Server Policy editor page.

Simulate a web attack request to the Server Policy hostname and check for the response header.

The HSTS header response is only made available for normal website pages and the attack block page (HTTP return code 500); it is not available for the Server Unavailable page (HTTP return code 503).

Related document:

Configuring an HTTP server policy

FortiWEB

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded