Description
This article provides guidance on how to address the commonly seen items in a security audit report (in the outcome of a VAPT scan).
Scope
FortiWeb.
Solution
Table of Contents.
Cookies: SameSite Flag Not Used.
Cookies: Secure Flag Not Used.
Cookies: HttpOnly Flag Not Used.
Header: HTTP Strict Transport Security Missing.
Header: Content Security Policy Missing.
Header: Referrer-Policy Missing.
Header: X-Content-Type-Options Missing.
Header: X-XSS-Protection Missing.
Header: X-Frame-Options Missing.
Header: Cache-Control missing.
Header: Web Server Version Exposed.
Header: X-AspNet-Version Exposed.
TLS Certificate Is Invalid/Expired.
Untrusted TLS/SSL server X.509 certificate
TLS Certificate Subject CN Does Not Match the Entity Name.
SHA-1-based Signature in TLS/SSL Server X.509 Certificate.
TLS Certificate Using Weak Cipher.
TLS/SSL Weak Message Authentication Code Cipher Suites.
TLS/SSL Server Supports The Use of Static Key Ciphers.
TLS/SSL Server Is Using Commonly Used Prime Numbers.
TLS/SSL Forward Secrecy Cipher Suites Not Supported.
Insecure Cross-Domain Policy (allow-http-request-headers-from, allow-access-from).
Cookies: SameSite Flag Not Used.
For internal cookies, generated by FortiWeb (such as 'cookiesession1'), this can be enabled through the CLI:
config server-policy policy
edit <policy name>
set internal-cookie-samesite enable
internal-cookie-samesite-value {strict | lax | none}
end
Related documents:
- FortiWeb CLI reference: internal-cookie-samesite
- FortiWeb CLI reference: internal-cookie-samesite-value
Cookies: Secure Flag Not Used.
For external cookies (i.e. coming from the backend server), this flag can be added through Web Protection -> Cookie Security.
Related document:
Cookie security - FortiWeb administration guide.
For internal cookies generated by FortiWeb (such as 'cookiesession1'), this can be enabled through the CLI:
config server-policy policy
edit <policy name>
set internal-cookie-secure enable
end
Related document:
FortiWeb CLI reference: internal-cookie-secure
Cookies: HttpOnly Flag Not used.
Cookie with HttpOnly Flag can be added to Web Protection Profile via GUI:
Web Protection -> Cookie Security:
Related document:
Header: HTTP Strict Transport Security Missing.
- This header can be added through Policy -> Server Policy -> <policy name> : Advanced SSL Settings -> HTTPS Header Insertion -> Add HSTS Header.
Related document:
Configuring an HTTP server policy: FortiWeb administration guide
Header: Content Security Policy Missing.
Header: Referrer-Policy Missing.
Header: X-Content-Type-Options Missing.
Header: X-XSS-Protection Missing.
Header: X-Frame-Options Missing
- These headers can be added through Web Protection -> Advanced Protection -> HTTP Header Security.
Related document:
HTTP security headers - FortiWeb administration guide
Header: Cache-Control missing
'Cache-Control' header can be added on Fortiweb via'“URL-Rewriting' module: On GUI go to Application Delivery > URL Rewriting:
Related document:
Header: Web Server Version Exposed.
Header: X-Powered-By Exposed.
Header: X-AspNet-Version Exposed.
- These headers can be masked by Information Disclosure signatures 080200001, 080200004, and 080200005.
Related document:
Blocking known attacks: information disclosure - FortiWeb administration guide
HTTP OPTIONS Method Enabled.
- Disable unwanted methods through Web Protection -> Access -> Allow Method by enabling the methods intended to be allowed. All other methods will be blocked.
Related document:
Specifying allowed HTTP methods - FortiWeb administration guide
TLS Certificate Is Invalid/Expired.
TLS Certificate Not Trusted.
Untrusted TLS/SSL server X.509 certificate.
TLS Certificate Subject CN Does Not Match the Entity Name.
SHA-1-based Signature in TLS/SSL Server X.509 Certificate.
Weak Cryptographic Key.
- The solution is to issue a valid certificate to the host from a trusted and authorized Certificate Authority, with strong cryptographic security, and make sure that the certificate was installed properly.
TLS Certificate Using Weak Cipher.
TLS/SSL Weak Message Authentication Code Cipher Suites.
TLS/SSL Server Supports The Use of Static Key Ciphers.
TLSv1.0 in Use.
TLSv1.1 in Use.
- Disable the TLS1.0 and TLS1.1 versions under Policy -> Server Policy -> <policy name>; Advanced SSL Settings -> SSL Connection Settings.
- The encryption level can also be defined in the same location.
Related document:
Configuring an HTTP server policy - FortiWeb administration guide
TLS/SSL Server Is Using Commonly Used Prime Numbers.
- The solution is to set the DH parameters size to 2048 or higher. This can be done through the CLI:
config system global
set dh-params 2048
end
Related document:
DH params - system globals - FortiWeb CLI reference
TLS/SSL Forward Secrecy Cipher Suites Not Supported.
PFS (perfect forward secrecy) can be enabled on Server Policy via GUI : Policy > Server Policy > Policy_name > Advanced SSL settings > SSL Connection Settings:
PFS can be enabled on Server Pool via GUI: Server Objects -> Server -> Server Pool -> Server_Pool_Name then real_server_name -> Advanced SSL settings -> SSL Connection Settings:
At least one FFDHE group should be selected & one DHE cipher should be selected on TLS Encryption Level.
Related document:
Supported cipher suites - for connections between FortiWeb and the clients
TCP Timestamp Disclosure.
- Disable the use of TCP timestamps with the following command:
config system network-option
set tcp-timestamp disable
end
- Note that setting this option can result in decreased application performance.
Related document:
System network option: config_1208537978_3706855 - FortiWeb CLI reference
Secure Cross-Domain Policy (allow-http-request-headers-from, allow-access-from).
Crossdomain.xml technique has been replaced by CORS (Cross-Origin Resource Sharing) which is an HTTP header-based mechanism that allows servers/WAF to specify which domains can access their resources.
CORS policy can be set on FortiWeb via GUI: go to Web Protection -> Access -> CORS Protection:
Related document:
