FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
opetr_FTNT
Staff
Staff
Article Id 199434

Description

 

This article provides guidance on how to address the commonly seen items in a security audit report (in the outcome of a VAPT scan).

 

Scope

 

FortiWeb v7.4 and earlier.

 

Solution

 

Table of Contents.

 


Cookies: SameSite Flag Not Used.

  • For internal cookies, generated by FortiWeb (such as 'cookiesession1'), this can be enabled through the CLI:

config server-policy policy

edit <policy name>

set internal-cookie-samesite enable

internal-cookie-samesite-value {strict | lax | none}

end​

 

Related documents:

FortiWeb CLI reference: internal-cookie-samesite.

FortiWeb CLI reference: internal-cookie-samesite-value.


Cookies: Secure Flag Not Used.

  • For external cookies (ie. coming from the backend server), this flag can be added through Web Protection -> Cookie Security.

Stephen_G_0-1697720338705.jpeg

 

Related document:

Cookie security - FortiWeb administration guide.

 

  • For internal cookies generated by FortiWeb (such as 'cookiesession1'), this can be enabled through the CLI:

config server-policy policy
    edit <policy name>
        set internal-cookie-secure enable
end​

 

Related document:
FortiWeb CLI reference: internal-cookie-secure.


Header: HTTP Strict Transport Security Missing.

  • This header can be added through Policy -> Server Policy -> <policy name> ; Advanced SSL Settings -> HTTPS Header Insertion -> Add HSTS Header.

    hsts_header.jpg

Related document:
Configuring an HTTP server policy: FortiWeb administration guide.


Header: Content Security Policy Missing.
Header: Referrer-Policy Missing.
Header: X-Content-Type-Options Missing.
Header: X-XSS-Protection Missing.

  • These headers can be added through Web Protection -> Advanced Protection -> HTTP Header Security.

Stephen_G_1-1697720338725.jpeg

 

Related document:
HTTP security headers - FortiWeb administration guide.


Header: Web Server Version Exposed.

Header: X-Powered-By Exposed.
Header: X-AspNet-Version Exposed.

  • These headers can be masked by Information Disclosure signatures 080200001, 080200004, and 080200005.

Stephen_G_2-1697720338711.jpeg

 

Stephen_G_3-1697720338717.jpeg

 

Stephen_G_4-1697720338719.jpeg

 

Related document:
Blocking known attacks: information disclosure - FortiWeb administration guide.


HTTP OPTIONS Method Enabled.

  • Disable unwanted methods through Web Protection -> Access -> Allow Method by enabling the methods intended to be allowed. All other methods will be blocked.


Stephen_G_5-1697720338743.jpeg

 

Related document:
Specifying allowed HTTP methods - FortiWeb administration guide


TLS Certificate Is Invalid/Expired.

TLS Certificate Not Trusted.
Untrusted TLS/SSL server X.509 certificate.

TLS Certificate Subject CN Does Not Match the Entity Name.

SHA-1-based Signature in TLS/SSL Server X.509 Certificate.
Weak Cryptographic Key.

  • The solution is to issue a valid certificate to the host from a trusted and authorized Certificate Authority, with strong cryptographic security, and make sure that the certificate was installed properly.

TLS Certificate Using Weak Cipher.

TLS/SSL Weak Message Authentication Code Cipher Suites.

TLS/SSL Server Supports The Use of Static Key Ciphers.

TLSv1.0 in Use.

TLSv1.1 in Use.

  • Disable the TLS1.0 and TLS1.1 versions under Policy -> Server Policy -> <policy name>; Advanced SSL Settings -> SSL Connection Settings.
  • The encryption level can also be defined in the same location.

Stephen_G_6-1697720338763.jpeg

 

Related document:
Configuring an HTTP server policy - FortiWeb administration guide.


TLS/SSL Server Is Using Commonly Used Prime Numbers.

  • The solution is to set the DH parameters size to 2048 or higher. This can be done through the CLI:

config system global
    set dh-params 2048

end​

 

Related document:
DH params - system globals - FortiWeb CLI reference.


TCP Timestamp Disclosure.

  • Disable the use of TCP timestamps with the following command:

config system network-option
    set tcp-timestamp disable

end​

  • Note that setting this option can result in decreased application performance.

Related document:

System network option: config_1208537978_3706855 - FortiWeb CLI reference