Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
jcastellanos
Staff
Staff

Created on ‎04-14-2024 10:12 PM

Article Id 309668

Troubleshooting Tip: How to validate the HTTP header leaking signatures are hidden the information of the server

Description This article describes how the user could verify if the server information in the HTTP header is hidden by the signatures of the FortiWeb.
Scope FortiWeb v7.4.x
Solution

The user does not want the information from the server could be visible to the end client. The information could be visible in the HTTP response sent to the end client.

 

7-match example.png

 

To hide the server information signature needs to be enabled and the category in information disclosure in action 'erase' in the signature profile corresponding to the server policy.

 

5-enable.png 

5-category.png

 

An attack log will be visible with the match of the signature.

 

1-logeraseaction.png

 

2-logwithserverinfo.png


It is possible to validate the result through a scanning tool or the web browser using developer tools and looking for the HTTP response header. The result should server field is hidden xxxx.

 

4-testnmap.png

 3-result.png
114
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.