Fortinet 367 FortiWeb 5.0 Patch 6 Administration Guide
Rewriting & redirecting
Rewriting or redirecting HTTP requests and responses is popular, and can be done for many
reasons.
Similar to error message cloaking, URL rewriting can prevent the disclosure of underlying
technology or web site structures to HTTP clients.
For example, when visiting a blog web page, its URL might be:
http://www.example.com/wordpress/?feed=rss2
Simply knowing the file name, that the blog uses PHP
, its compatible database types, and the
names of parameters via the URL could help an attacker to craft an appropriate attack for that
platform. By rewriting the URL to something more human-readable and less platform-specific,
the details can be hidden:
http://www.example.com/rss2
Aside from for security, rewriting and redirects can be for aesthetics or business reasons.
Financial institutions can transparently redirect customers that accidentally request HTTP:
http://bank.example.com/login
to authenticate and do transactions on their secured HTTPS site:
https://bank.example.com/login
Additional uses could include:
During maintenance windows, requests can be redirected to a read-only server.
• International customers can use global URLs, with no need to configure the back-end web
servers to respond to additional HTTP virtual host names.
Shorter URLs with easy-to-remember phrases and formatting are easier for customers to
understand, remember, and return to.
Much more than their name implies, “URL rewriting rules” can do all of those things, and more:
redirect HTTP requests to HTTPS
• rewrite the URL line in the header of an HTTP request
rewrite the Host: field in the header of an HTTP request
rewrite the Referer: field in the header of an HTTP request
redirect requests to another web site
send a 403 Forbidden response to a matching HTTP requests
rewrite the HTTP location line in the header of a matching redirect response from the web
server
rewrite the body of an HTTP response from the web server
Rewrites will work on single requests as well as those that have been fragmented using:
Tranfer-Encoding: chunked
Rewrites/redirects are not supported in all modes. See “Supported features in each operation
mode” on page 62.
FortiWeb cannot rewrite requests that exceed FortiWeb’s buffer size. To block requests that
cannot be rewritten, configure Malformed Request.