When multiple HTTP headers are configured in the web-proxy profile entry to be removed from an HTTP response, only the first header is removed from the HTTP response.

config firewall policy

    edit 1

        set type explicit-web
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "wp_client"
        set webproxy-profile "wp-profile"
        set logtraffic all
        set webcache enable
        set webcache-https enable
        set profile-protocol-options "default"
        set ssl-ssh-profile "deep-inspection"

    next

end

config web-proxy profile

    edit "wp-profile"

        config headers

            edit 1

                set name "Vary"
                set action remove-from-response

            next
            edit 2

                set name "cache-control"
                set action remove-from-response

            next
            edit 3

                set name "Pragma"
                set action remove-from-response

            next

        end

    next

end

Example:

HTTP/1.1 200 OK
Date: Fri, 28 Nov 2025 06:39:09 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Fri, 14 Nov 2025 08:54:18 GMT
ETag: "29af-6438a248e8a09-gzip"
Accept-Ranges: bytes
(blank) ---> "Vary: Accept-Encoding" removed by remove-from-response
Content-Encoding: gzip
Cache-Control: no-cache, no-store, must-revalidate ---> not removed
Pragma: no-cache ---> not removed
Expires: 0
Content-Length: 3121
Content-Type: text/html

The issue that FortiProxy fails to remove headers from HTTP responses will be fixed in the following versions.

• v7.4.12 (available on the Fortinet support portal).
• v7.6.5 (scheduled to be released in December 2025).

These timelines for firmware release are estimates and may be subject to change.