Can FortiWeb discover API vunrabilities like mising authorization header or weak API authentication?

Forum|Forum|11 months ago
June 16, 2025
2 replies
650 views

I have played with FortiWeb trial VM and the demo center (FortiWeb Demo) and after reading some docummentation and watching (9) FortiWeb API Protection: Overview - YouTube and (9) FortiWeb - Machine Learning Based API Protection - YouTube I see that FortiWeb has ML for API discovery but what about discoverying if API endpoints don't enforce authentication or authorization or using weak authentication?

The traffic could be legitimate but the devs in some cases by mistake don't enforce API autentication/authorization on some API endpoints or a forgotten old version of an API URL endopoint (shadow API). Can FortiWeb see the requests and still after time with Anomaly detection make suggestions for API security improvement even if all the requests don't have authorization header (not a deviation but still a security issue) ?

FortiWEB

Best answer by shafiq23

Hi @filiaks1,

ML based Anomaly detection focuses on API request deviation on learned API traffic. Discovering missing authorization header will be handle by other module such as Custom Policy where you can define if Authorization header is missing and block the request.

Filter Type - HTTP header
https://docs.fortinet.com/document/fortiweb/7.4.8/administration-guide/146637/custom-policy

Thanks.

Regards,

Shafiq