Best way to secure a small web app Air Force PT calculator with FortiGate?

Question

Hi everyone,I built a small public-facing web app that calculates Air Force PT scores using the latest standards. The site is fairly simple (just data inputs, PFT calculations, and score outputs), but I want to make sure it's properly secured since it’s starting to get more traffic.I’m running it on a cloud VPS and have a FortiGate VM set up, but I’m not totally sure if I’m configuring things correctly for this type of lightweight tool. Specifically:Do I need full Web Application Firewall (WAF) features for something this small, or would basic IPS + URL filtering be enough?Are there recommended settings for protecting simple form-input sites from script injection or bot traffic?Should I be using any FortiGate-specific features to handle potential spikes in traffic or prevent abuse?And lastly, is there anything I should check to make sure my HTTPS setup is fully compliant?I’m not handling any personal data, just the PT scoring inputs, but I still want to lock it down correctly.Any guidance or best-practice steps would be really appreciated. Thanks!Ryan

Atul_S · Answer

Hi Ryan,

Irrespective of the light weight of the application, as soon as you open it to the public, you are exposed to all sorts of manipulations that can be carried out on the data. WAF can certainly protect against common web threats and enable data validation and sanitisation on the server to prevent script-based attacks, or you can resort to IPS and URL filtering to block known traffic. Also, don't forget to enable the SQL injection and XSS protection in your WAF or IPS settings.

You can use traffic shapers to manage potential traffic spikes and verify that strong cipher suites are enabled for HTTPS/TLS traffic.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded