Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
kmak
Staff
Staff

Created on ‎06-03-2025 11:10 PM

Article Id 394829

Technical Tip: Enable and verify the HSTS header response feature in FortiWeb

Description

This article describes the FortiWeb Add HSTS header feature in the HTTP 500 return code blocking page
Scope FortiWeb v7.0.1 or above
Solution

In FortiWeb older legacy firmware versions, the HSTS header feature would return the HSTS response header to the users in the normal webpage only but not the FortiWeb attack blocking page. The issue was resolved in v7.0.1, whereby the HSTS header feature shall also add the HSTS response header to the attack blocking page (HTTP return code 500).

 

  1. To check if the HSTS header is enabled in Server Policy, navigate to the Advanced SSL settings in the Server Policy editor page.

 

kmak_0-1749016470535.jpeg

 

  1. Simulate a web attack request to the Server Policy hostname and check for the response header.


kmak_1-1749016470543.jpeg

 

  1. The HSTS header response is only made available for normal website pages and the attack block page (HTTP return code 500); it is not available for the Server Unavailable page (HTTP return code 503).

 

kmak_2-1749016470549.jpeg

 

Related document:

Configuring an HTTP server policy
Labels:
356
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.