FortiWeb 600F – Rate limiting by custom header (x-user-trace) on specific paths

Hi everyone,

I’m using **FortiWeb 600F (reverse proxy mode)** and need to implement **request rate limiting based on a custom HTTP header**, not on the client IP.

Limit requests to specific endpoints:

/order/buy
/order/sell

Each request includes a header `x-user-trace`, which identifies the user.
I want FortiWeb to **allow only one request per 300 milliseconds per unique `x-user-trace` value.**
If the same user (same header value) sends another request within 300 ms, it should be **blocked or responded with HTTP 429 (Too Many Requests).**

if request.path in ["/order/buy", "/order/sell"]:
if "x-user-trace" in request.headers:
key = request.headers["x-user-trace"]
allow 1 request / 300 ms per key
else:
block or respond with 429

1. Can FortiWeb natively perform rate limiting using a **custom header** (like `x-user-trace`) instead of the client IP?

* I know that **DoS Protection**, **Bot Mitigation**, and **Rate Limiting** features exist, but they appear to use **source IP** as the identifier.

2. Is there any supported way to define a **custom key expression or variable** (e.g. using `x-user-trace` header) to group requests for rate limiting?

3. If this is not possible through GUI or CLI configuration —

* Is there a way to extend FortiWeb functionality by adding a **custom module, script, or plugin** (in Python, Lua, or another supported language)?
* Can such logic be executed before forwarding the request to the backend?

4. If scripting or plugins are not supported, what’s the **recommended FortiWeb-native workaround** for achieving this type of **per-user rate control** (based on request headers)?

* Device: **Fortinet FortiWeb 600F**
* Mode: Reverse Proxy
* Version: *(available if needed)*

Any official guidance, CLI/GUI example, or configuration reference would be really helpful.
Thank you in advance!