Technical Tip: Masking sensitive application information without back-end modification

An application on the back-end server may contain sensitive data (in this case, an application version and file path will be used as an example):

In this example, there are 2 type of elements that contain sensitive data: A test string on the HTML body and the path of the file within the HTML body. Follow these steps to mask both elements from the FortiWeb:

1. For the path of the file: Go to Web Protection -> Advanced Protection -> URL Encryption, select the tab 'URL Encryption Rule' and then 'Create New'. 
2. Configure the rule to match the URL displayed on the HTML body.
3. Go to the 'URL Encryption Policy' tab and select 'Create New'. Assign the URL Encryption rule that was just created.

4. For the text string: Go to Application Delivery -> URL Rewriting, select the 'URL Rewriting Rule' tab and then 'Create New'.
5. Configure the rule to match the text string displayed on the HTML body.
6. Go to the 'URL Rewriting Policy' tab and select 'Create New'. Assign the URL Rewriting rule that was created in the previous step.

7. To apply both features: Go to Policy -> Web Protection Profile and either create a new profile or edit an existing 'user defined' profile. Apply both policies from URL Rewriting and URL Encryption.
8. Go to Policy -> Server Policy and apply the Web Protection Profile to the server policy.

Test the results by checking the body of the web application and by trying to reach the file previously disclosed. 

Related documents:

• URL encryption 
• Rewriting & redirecting