FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
opetr_FTNT
Staff
Staff

Description

 

The scope of this article is to provide guidance on how to address the commonly seen items in a security audit report (outcome of VAPT scan)

 

Scope

 

FortiWeb v7.0 and earlier

 

Solution

 

Cookies: SameSite Flag Not Used

  • for internal cookies this can be enabled through CLI

 

 

config server-policy policy
edit <policy name>
set internal-cookie-samesite enable
internal-cookie-samesite-value {strict | lax | none}
end

 

 

https://docs.fortinet.com/document/fortiweb/7.0.0/cli-reference/338812/server-policy-policy#internal...

https://docs.fortinet.com/document/fortiweb/7.0.0/cli-reference/338812/server-policy-policy#internal... 


Cookies: Secure Flag Not Used

  • for external cookies (ie. coming from backend server) this flag can be added through Web Protection > Cookie Security

opetr_FTNT_0-1637825324446.png

https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/2851/cookie-security

  • for internal cookies this can be enabled through CLI

 

 

config server-policy policy
edit <policy name>
set internal-cookie-secure enable
end

 

 

https://docs.fortinet.com/document/fortiweb/7.0.0/cli-reference/338812/server-policy-policy#internal...


Header: HTTP Strict Transport Security Missing

  • you can add this header through Policy > Server Policy > <policy name> ; Advanced SSL Settings > HTTPS Header Insertion > Add HSTS Header

opetr_FTNT_1-1637825480554.png

https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/201872/configuring-an-http-se...


Header: Content Security Policy Missing
Header: Referrer-Policy Missing
Header: X-Content-Type-Options Missing
Header: X-XSS-Protection Missing

  • you can add these headers through Web Protection > Advanced Protection > HTTP Header Security

opetr_FTNT_2-1637825677249.png

https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/906820/http-security-headers


Header: Web Server Version Exposed
Header: X-AspNet-Version Exposed

  • these headers can be masked by Information Disclosure signatures 080200001 and 080200005

opetr_FTNT_3-1637825837626.png

opetr_FTNT_4-1637825903338.png

https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/210196/blocking-known-attacks...


HTTP OPTIONS Method Enabled


TLS Certificate Is Invalid/Expired

TLS Certificate Not Trusted

TLS Certificate Subject CN Does Not Match the Entity Name

  • solution is to issue a valid certificate to the host from a trusted and authorized Certificate Authority and make sure that your certificate was installed properly.

TLS Certificate Using Weak Cipher

TLS/SSL Server Supports The Use of Static Key Ciphers

TLSv1.0 in Use

TLSv1.1 in Use

  • you can disable the TLS1.0 and TLS1.1 versions under Policy > Server Policy > <policy name> ; Advanced SSL Settings > SSL Connection Settings
  • you can also define the encryption level at the same place

opetr_FTNT_5-1637826069938.png

https://docs.fortinet.com/document/fortiweb/7.0.0/administration-guide/201872/configuring-an-http-se...


TLS/SSL Server Is Using Commonly Used Prime Numbers

Contributors