Fortinet 422 FortiWeb 5.0 Patch 6 Administration Guide
Figure 45:An HTML form with two inputs: Account ID‘s type attribute is text; Password’s
type attribute is password
For example, one web page might have an HTML form with multiple inputs:
• a user name
• a password
• a preference for whether or not to remember the login
Within the input rule for that web page, you could define separate rules for each parameter in
the request: one rule for the user name parameter, one rule for the password parameter, and
one rule for the preference parameter. The password rule could be used to enforce password
complexity by requiring that it match a Level 2 Password data type.
Unlike hidden field rules, input rules are for visible inputs only, such as buttons and text areas.
For information on constraining hidden inputs, see “Preventing tampering with hidden inputs”
on page 430.
Each input rule contains one or more individual rules. Collectively, individual rules define all
parameter restrictions that apply to requests matching that combination of URL and host name.
If an HTTP/HTTPS request contains repeated parameters, FortiWeb will enforce the input rules
for all instances of the parameter — not just the first time it occurs in the request.
To configure an input rule
1. Before you configure an input rule, if you want to apply it only to HTTP requests for a specific
real or virtual host, you must first define the web host in a protected hosts group (see
Form input
Form input
Enforcement cannot occur if the parameter is bigger than the memory size you have configured
for FortiWeb’s scan buffers. To configure the buffer size, see http-cachesize in the FortiWeb
CLI Reference. If your web applications do not require requests larger than the buffer, enable
Malformed Request to harden your configuration.