Fortinet 373 FortiWeb 5.0 Patch 6 Administration Guide
9. If you selected HTTP Referer from Object, also configure the following:
10.Click OK.
11.Repeat the previous two steps until you have defined all matching HTTP requests or
responses that should be rewritten as defined in this rule.
12.Group the URL rewrite rule in a URL rewriting policy (see “Grouping rewriting & redirection
rules” on page 385).
13.If you are rewriting a response from the web server, and it is compressed, configure a
decompression rule so that FortiWeb will be able to rewrite. See “Configuring
decompression to enable scanning & rewriting” on page 460.
See also
Grouping rewriting & redirection rules
Example: HTTP-to-HTTPS redirect
Example: Full host name/URL translation
Example: Sanitizing poisoned HTML
Example: Rewriting URLs using regular expressions
Example: Rewriting URLs using variables
Regular expression syntax
What are back-references?
Cookbook regular expressions
Example: HTTP-to-HTTPS redirect
Example.com is a business-oriented social media provider. Its clients require that attackers
cannot fraudulently post comments. If an attacker can post while disguised as originating from
the client’s business, as this could enable an attacker to ruin a business’s reputation.
To provide clients with protection from HTTP session hijacking tools such as Firesheep,
Example.com wants to automatically redirect all HTTP requests to HTTPS. This way, before the
client attempts to log in and exposes both their credentials and HTTP session ID to an
eavesdropper, the response and subsequent requests are SSL/TLS encrypted, and thereby
protected.
To do this, example.com will apply a rewriting rule that matches all HTTP requests, regardless of
host name variations or URL, such as:
http://www.example.com/login
http://www.example.co.jp/
Setting
name
Description
If no
Referer
field in
HTTP
header
Select either:
Do not meet this condition
Meet this condition
Requests can lack a Referer: field for several reasons, such as if the user
manually types the URL, and the request does not result from a hyperlink
from another web site, or if the URL resulted from an HTTPS connection. (See
the RFC 2616 section on the Referer: field.) In those cases, the field cannot
be tested for a matching value.
This option appears only if Object is HTTP Referer.