Fortinet 445 FortiWeb 5.0 Patch 6 Administration Guide
Header Line Length Type the maximum acceptable size in bytes of each line in the HTTP
header.
Attack log messages contain Header Line Too Large when this
feature detects an attempted header line length buffer overflow.
Number of Header
Lines In Request
Type the maximum acceptable number of lines in the HTTP header.
Attack log messages contain Too Many Headers when this
feature detects a header line count buffer overflow attempt.
Total URL and Body
Parameters Length
Type the total maximum total acceptable size in bytes of all
parameters in the URL and/or, for HTTP POST requests, the HTTP
body.
Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are
not included.
Attack log messages contain Total URL and Body
Parameters Length Exceeded when this feature detects a total
parameter size buffer overflow attempt.
Total URL
Parameters Length
Type the total maximum acceptable length in bytes of all
parameters, including their names and values, in the URL.
Parameters usually appear after a ?, such as:
/url?parameter1=value1&parameter2=value2
It does not include parameters in the HTTP body, which can occur
with HTTP POST requests. For those, configure Total URL and Body
Parameters Length or Body Length instead.
Attack log messages contain Total URL Parameters Length
Exceeded when this feature detects a URL parameter line length
buffer overflow attempt.
Number of URL
Parameters
Type the maximum number of parameters in the URL. The
maximum number is 104.
It does not include parameters in the HTTP body, which can occur
with HTTP POST requests.
Attack log messages contain Too Many Parameters in
Request when this feature detects a URL parameter count buffer
overflow attempt.
Number of Cookies
In Request
Type the maximum acceptable number of cookies in an HTTP
request.
Attack log messages contain Too Many Cookies in Request
when this feature detects a cookie count buffer overflow attempt.
Number of ranges in
Range Header
Type the maximum acceptable number of Range: lines in each
HTTP header. The default value is 5.
Attack log messages contain Too Many Range Headers when
this feature detects too many Range: header lines.
Tip: Some versions of Apache are vulnerable to a denial of service
(DoS) attack on this header, where a malicious client floods the
server with many Range: headers. The default value is appropriate
for un-patched versions of Apache 2.0 and Apache 2.1.
Setting name Description