Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
shafiq23
Staff & Editor
Staff & Editor

Created on ‎06-04-2025 11:19 PM

Article Id 395015

Technical Tip: HSTS header insert in HTTP 302 response by URL rewriting module

Description This article describes behavior of no HSTS header insert in HTTP 302 response header when redirect action in URL rewriting is applied in Web Protection Profile.
Scope FortiWeb, FortiWeb-VM.
Solution

Symptom:

  1. User visits http://example.com and is redirected to https://example.com - HTTP 301: HTTP-HTTPS redirection enabled in server policy configuration.
  2. User is redirected from https://example.com to https://example.com/someappname - HTTP 302:
  • There is no Strict-Transport-Security header returned.
  • HTTP location redirection is configured in a URL rewriting rule.

 

  1. User loads https://example.com/someappname - HTTP 200:

 

HSTS-not-insert_in_HTTP302_-_FWB_7.4.8.png

 

The HSTS header insertion is not supported with the HTTP 302 return code by FortiWeb v7.6.0 and earlier releases.

 

Fix:
Upgrade to v7.6.1 or a later version.

 

FortiWeb v7.6.3:

 

HSTS-insert_in_HTTP302_-_FWB_7.6.3.png

 

Strict-Transport-Security header responded with a HTTP 302 redirection. Example: HTTP-to-HTTPS redirect: Rewriting & redirecting 
258
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.