Fortinet 436 FortiWeb 5.0 Patch 6 Administration Guide
14.Click Create New.
A dialog appears.
15.In Name, type a unique name that can be referenced by other parts of the configuration. Do
not use spaces or special characters. The maximum length is 35 characters.
16.Click OK.
17.Click Create New to include a rule in the set.
18.From the Hidden Fields Rule drop-down list, select the name of an existing hidden field rule
that you want to add to the set.
19.Click OK.
20.Repeat the previous steps for each individual rule that you want to add to the hidden fields
policy.
21.To apply a hidden field policy:
• select it in an inline protection profile (see “Configuring a protection profile for inline
topologies” on page 468) and
•enable Session Management
See also
•Connecting to FortiGuard services
•How often does Fortinet provide FortiGuard updates for FortiWeb?
Specifying allowed HTTP methodsYou can configure policies that allow only specific HTTP request methods. This can be useful
for preventing attacks, such as those exploiting the HTTP method TRACE.
Some popular web applications such as Subversion, CalDAV, and WebDAV require custom or
less common HTTP methods. While developing web applications, the HTTP method TRACE
may be useful, but in production environments, it may disclose sensitive information to
attackers. Many web applications only require GET and POST. Disabling all unused methods
reduces the potential attack surface area for attackers. If you are unsure what HTTP methods
are required by your web applications, you can use auto-learning to discover them. See
“Auto-learning” on page 151.
Generally, TRACE should only be used during debugging, and should be disabled otherwise.