Created on 11-24-2021 03:29 AM Edited on 10-20-2023 12:41 AM By Jean-Philippe_P
Description
This article provides guidance on how to address the commonly seen items in a security audit report (in the outcome of a VAPT scan).
Scope
FortiWeb v7.4 and earlier.
Solution
Table of Contents.
Cookies: SameSite Flag Not Used.
config server-policy policy
edit <policy name>
set internal-cookie-samesite enable
internal-cookie-samesite-value {strict | lax | none}
end
Related documents:
FortiWeb CLI reference: internal-cookie-samesite.
FortiWeb CLI reference: internal-cookie-samesite-value.
Cookies: Secure Flag Not Used.
Related document:
Cookie security - FortiWeb administration guide.
config server-policy policy
edit <policy name>
set internal-cookie-secure enable
end
Related document:
FortiWeb CLI reference: internal-cookie-secure.
Header: HTTP Strict Transport Security Missing.
Related document:
Configuring an HTTP server policy: FortiWeb administration guide.
Header: Content Security Policy Missing.
Header: Referrer-Policy Missing.
Header: X-Content-Type-Options Missing.
Header: X-XSS-Protection Missing.
Related document:
HTTP security headers - FortiWeb administration guide.
Header: Web Server Version Exposed.
Header: X-Powered-By Exposed.
Header: X-AspNet-Version Exposed.
Related document:
Blocking known attacks: information disclosure - FortiWeb administration guide.
HTTP OPTIONS Method Enabled.
Related document:
Specifying allowed HTTP methods - FortiWeb administration guide
TLS Certificate Is Invalid/Expired.
TLS Certificate Not Trusted.
Untrusted TLS/SSL server X.509 certificate.
TLS Certificate Subject CN Does Not Match the Entity Name.
SHA-1-based Signature in TLS/SSL Server X.509 Certificate.
Weak Cryptographic Key.
TLS Certificate Using Weak Cipher.
TLS/SSL Weak Message Authentication Code Cipher Suites.
TLS/SSL Server Supports The Use of Static Key Ciphers.
TLSv1.0 in Use.
TLSv1.1 in Use.
Related document:
Configuring an HTTP server policy - FortiWeb administration guide.
TLS/SSL Server Is Using Commonly Used Prime Numbers.
config system global
set dh-params 2048
end
Related document:
DH params - system globals - FortiWeb CLI reference.
TCP Timestamp Disclosure.
config system network-option
set tcp-timestamp disable
end
Related document:
System network option: config_1208537978_3706855 - FortiWeb CLI reference
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.