Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortigate vulnerability

I run pci dss security scan, and my fortigate 600c, with 5.2.11 fimware, and found vulnerability:

HTTP Security Header Not Detected HTTP Security Header Not Detected

RESULT: X-XSS-Protection HTTP Header missing on port 443. GET / HTTP/1.0

THREAT: This QID reports the absence of the following HTTP headers according to CWE-693: Protection Mechanism Failure: X-Frame-Options: This HTTP response header improves the protection of web applications against clickjacking attacks. Clickjacking, also known as a "UI redress attack", allows an attacker to use multiple transparent or opaque layers to trick a targeted user into clicking on a button or link on another page when they were intending to click on the the top level page. X-XSS-Protection: This HTTP header enables the browser built-in Cross-Site Scripting (XSS) filter to prevent cross-site scripting attacks. X-XSSProtection: 0; disables this functionality. X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is nosniff. If your server returns X-Content-Type-Options: nosniff in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype. Content-Security-Policy: This HTTP header helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS), packet sniffing attacks and data injection attacks. Public-Key-Pins: The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. Strict-Transport-Security: The HTTP Strict-Transport-Security response header (HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.


How to fix it ?



Esteemed Contributor III

Correct and those X headers are not mandatory from a vulnerability scan. You can take 10 scanners and come up with 10 different scan results on what the "vulnerability" is. A SSLVPN is just that a VPN not a webserver


Ken Felix




New Contributor II

hello there,

I also concern this issue.

how to disable web portal mode?

so outside can't our vpn web portal



New Contributor II

BWiebe wrote:

The folks with _FTNT are from Fortinet.


darwin_FTNT likely wants to check the status internally on the issue.

Sorry for snapping. I don't see why I responded like that. Must have been a bad day. No excuse though.

Jerry Paul White

Network Engineer/Tech Supervisor

" 01001000 01100001 01110110 01100101 00100000 01100001 00100000 01000111 01101111 01101111 01100100 00100000 01000100 01100001 01111001"


I listed as a false positive and provided the documentation for the 3rd party SSL cert. But also make sure to remove TLS 1.0 from the accepted protocols on the VPN.

The commands to do that are:

config vpn ssl settings set tlsv1-1 disable end

That disables TLSv1 from the SSL VPN. Also make sure of the following:

config vpn ssl settings set sslv3 disable set tlsv1-0 disable set tlsv1-1 disable end


If you upgrade:


In 6.2 you can add

Config vpn ssl settings Set x-content-type-options enable end



a 6.0 reference