A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Article Id 199434



This article provides guidance on how to address the commonly seen items in a security audit report (in the outcome of a VAPT scan).




FortiWeb v7.4 and earlier.




Table of Contents.


Cookies: SameSite Flag Not Used.

  • For internal cookies, generated by FortiWeb (such as 'cookiesession1'), this can be enabled through the CLI:

config server-policy policy

edit <policy name>

set internal-cookie-samesite enable

internal-cookie-samesite-value {strict | lax | none}



Related documents:

FortiWeb CLI reference: internal-cookie-samesite.

FortiWeb CLI reference: internal-cookie-samesite-value.

Cookies: Secure Flag Not Used.

  • For external cookies (ie. coming from the backend server), this flag can be added through Web Protection -> Cookie Security.



Related document:

Cookie security - FortiWeb administration guide.


  • For internal cookies generated by FortiWeb (such as 'cookiesession1'), this can be enabled through the CLI:

config server-policy policy
    edit <policy name>
        set internal-cookie-secure enable


Related document:
FortiWeb CLI reference: internal-cookie-secure.

Header: HTTP Strict Transport Security Missing.

  • This header can be added through Policy -> Server Policy -> <policy name> ; Advanced SSL Settings -> HTTPS Header Insertion -> Add HSTS Header.


Related document:
Configuring an HTTP server policy: FortiWeb administration guide.

Header: Content Security Policy Missing.
Header: Referrer-Policy Missing.
Header: X-Content-Type-Options Missing.
Header: X-XSS-Protection Missing.

  • These headers can be added through Web Protection -> Advanced Protection -> HTTP Header Security.



Related document:
HTTP security headers - FortiWeb administration guide.

Header: Web Server Version Exposed.

Header: X-Powered-By Exposed.
Header: X-AspNet-Version Exposed.

  • These headers can be masked by Information Disclosure signatures 080200001, 080200004, and 080200005.







Related document:
Blocking known attacks: information disclosure - FortiWeb administration guide.

HTTP OPTIONS Method Enabled.

  • Disable unwanted methods through Web Protection -> Access -> Allow Method by enabling the methods intended to be allowed. All other methods will be blocked.



Related document:
Specifying allowed HTTP methods - FortiWeb administration guide

TLS Certificate Is Invalid/Expired.

TLS Certificate Not Trusted.
Untrusted TLS/SSL server X.509 certificate.

TLS Certificate Subject CN Does Not Match the Entity Name.

SHA-1-based Signature in TLS/SSL Server X.509 Certificate.
Weak Cryptographic Key.

  • The solution is to issue a valid certificate to the host from a trusted and authorized Certificate Authority, with strong cryptographic security, and make sure that the certificate was installed properly.

TLS Certificate Using Weak Cipher.

TLS/SSL Weak Message Authentication Code Cipher Suites.

TLS/SSL Server Supports The Use of Static Key Ciphers.

TLSv1.0 in Use.

TLSv1.1 in Use.

  • Disable the TLS1.0 and TLS1.1 versions under Policy -> Server Policy -> <policy name>; Advanced SSL Settings -> SSL Connection Settings.
  • The encryption level can also be defined in the same location.



Related document:
Configuring an HTTP server policy - FortiWeb administration guide.

TLS/SSL Server Is Using Commonly Used Prime Numbers.

  • The solution is to set the DH parameters size to 2048 or higher. This can be done through the CLI:

config system global
    set dh-params 2048



Related document:
DH params - system globals - FortiWeb CLI reference.

TCP Timestamp Disclosure.

  • Disable the use of TCP timestamps with the following command:

config system network-option
    set tcp-timestamp disable


  • Note that setting this option can result in decreased application performance.

Related document:

System network option: config_1208537978_3706855 - FortiWeb CLI reference