HTTP/HTTPS protocol constraints

Protocol constraints govern features such as the HTTP header fields in the protocol itself, as well as the length of the HTML, XML, or other documents or encapsulated protocols carried in the HTTP body payload.

Use protocol constraints to prevent attacks such as buffer overflows. Buffer overflows can occur in web servers and applications that do not restrict elements of the HTTP protocol to acceptable lengths, or that mishandle malformed requests. Such errors can lead to security vulnerabilities.

Default HTTP protocol constraint values reflect the buffer size of your FortiWeb model’s HTTP parser. Use protocol constraints to block requests that are too large for the memory size of FortiWeb’s scan buffers. Failure to block items that are too large to be buffered could compromise your network’s security, and allow requests without scanning or rewriting. See Buffer hardening.

For example, if your web applications require HTTP POST requests with unusually large parameters, you would adjust the HTTP body buffer size (see http-cachesize in the FortiWeb CLI Reference). Then, you would configure Malformed Request and other HTTP protocol constraints to harden your configuration.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.

To configure an HTTP protocol constraint

1. If you plan to add constraint exceptions to your HTTP protocol constraints, configure the exceptions first. See Configuring HTTP protocol constraint exceptions. If you want to use a trigger when the rule is violated, configure it also. See Viewing log messages.

2. Go to Web Protection > Protocol > HTTP Protocol Constraints.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

3. Click Create New.

Settings for the following HTTP protocol constraints are displayed. To display a brief description of a rule, click its name:

Setting name		Description
Content Length
	Content Length	Specifies the maximum acceptable length in bytes of the request body. Length is determined by comparing this limit with the value of the `Content-Length:` field in the HTTP header. Attack log messages contain `Content Length Exceeded` when this feature detects a content length buffer overflow attempt. Tip: RPC requests’ content length often do not match their own `Content-Length:` header. Attackers may also intentionally craft mismatching `Content-Length:` headers in an attempt to cloak buffer overflows. For those cases, use other limits instead or in addition, such as Body Length and Limiting file uploads.
	Illegal Content Length	Enable to check whether the `Content-Length:` header includes numeric characters only.
HTTP Header
	Header Length	Specifies the maximum acceptable size in bytes of all HTTP header lines. Attack log messages contain `Total Size of All Headers Too Large` when this feature detects a header size buffer overflow attempt.
	Header Name Length	Specifies the maximum acceptable size in bytes of a single HTTP header name (for example, `Host:`, `Content-Type:`, `User-Agent:`). The default is 50 bytes.
	Header Value Length	Specifies the maximum acceptable size in bytes of a single HTTP header value. The default is 4096 bytes.
	Illegal Character in Header Name	Enable to check whether the HTTP header name contains illegal characters.
	Illegal Character in Header Value	Enable to check whether the HTTP header value contains illegal characters.
	Redundant HTTP Headers	Enable to check whether a HTTP request contains multiple instances of `Content-Length` (only for HTTP/1.x), `Content-Type`(for both HTTP/1.x and HTTP/2) and `Host` (for both HTTP/1.x and HTTP/2) herder fields. These header fields are required to appear only once in a request by the RFC.Redundant HTTP headers are most probably involved in possible attacks.
HTTP Parameter
	Total URL Parameters Length	Specifies the total maximum acceptable length in bytes of all parameters, including their names and values, in the URL. Parameters usually appear after a `?`, such as: `/url?`parameter1=value1&parameter2=value2 The count does not include: Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included. Parameters in the HTTP body, which can occur with HTTP `POST` requests. For these parameters, configure Total Body Parameters Length or Body Length instead. Attack log messages contain `Total URL Parameters Length Exceeded` when this feature detects a URL parameter line length buffer overflow attempt.
	Total Body Parameters Length	Specifies the total maximum acceptable size in bytes of all the parameters in the HTTP body of HTTP `POST` requests. Question mark ( ? ), ampersand ( & ), and equal ( = ) characters are not included. Attack log messages contain `Total Body Parameters Length Exceeded` when this feature detects a total parameter size buffer overflow attempt.
	Number of URL Parameters	Specifies the maximum number of parameters in the URL. The maximum number is 1024. It does not include parameters in the HTTP body, which can occur with HTTP `POST` requests. Attack log messages contain `Too Many Parameters in Request` when this feature detects a URL parameter count buffer overflow attempt. The default is 128.
	NULL Character in Parameter Name	Enable to check for null characters in parameter names.
	NULL Character in Parameter Value	Enable to check for null characters in parameter values.
	Maximum URL Parameter Name Length	Specifies the maximum acceptable length in bytes of each URL parameter　name in a request. Enable to check whether a parameter name exceeds the limitation (the default is 4096). For example, `user` in the request `GET /index.php?user=test&sid=1234` is an illegal parameter name if you set the limitation as 3.
	Maximum URL Parameter Value Length	Specifies the maximum acceptable length in bytes of each URL parameter　value in a request. Enable to check whether a parameter value exceeds the limitation (the default is 4096). For example, `1234` in the request `GET /index.php?user=test&sid=1234` is an illegal parameter value if you set the limitation as 3.
	Illegal Character in Parameter Name	Enable to check whether a URL parameter name contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.
	Illegal Character in Parameter Value	Enable to check whether a URL parameter value contains the characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters.
HTTP Request
	Illegal HTTP Request Method	Enable to check for invalid HTTP request methods according to RFC 2616 or RFC 4918 . Any method not defined in these RFCs — including misspellings like `GETT` as well as other HTTP extension methods (e.g. CalDAV) like `MKCALENDAR` — are considered invalid. Attack log messages contain `Illegal HTTP Method` when this feature detects an invalid HTTP request method.
	HTTP Request Filename Length	Specifies the maximum acceptable length in bytes of the HTTP request filename.
	HTTP Request Length	Specifies the maximum acceptable length in bytes of the entire HTTP request, including both headers and body. Attack log messages contain `HTTP Request Length Exceeded` when this feature detects an excessively large HTTP request.
	Number of Header Lines in Request	Specifies the maximum acceptable number of lines in the HTTP header. Attack log messages contain `Too Many Headers` when this feature detects a header line count buffer overflow attempt.
	Missing Content Type	Enable to check whether the `Content-Type:` header is available.
	Null Character in URL	Enable to check whether the URL (or path for HTTP/2) in a request contains null characters (such as `\0` or `%00`). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the `/index.php` in `GET http://www.server.com/index.php?name=value HTTP 1.1`. Attackers might be embed NULL characters in URL to evade detections.
	Illegal Character in URL	Enable to check whether the URL (or path for HTTP/2) in a request contains characters that are not allowed by the RFC. These illegal characters are usually non-printable ASCII characters or other special characters (such as ASCII 0 - 31 and ASCII 127). This feature checks the part between the host prefix and parameters in the URL (if they exist), for example, the `/index.php` in `GET http://www.server.com/index.php?name=value HTTP 1.1`.
	Malformed URL	Enable to check whether the URL (or path for HTTP/2) in a request conform the spec by beginning with a slash ("/") character or a slash character follows the protocol prefix and host prefix in the URL (e.g. http://myserver.com/default.asp). If the slash characters are missing, it is typically a malicious access to other protocols (e.g. SMTP) using the back-end web servers.
HTTP2 Frame
	Header Compression Table Size	Specifies the maximum acceptable size in bytes of the header compression table used to decode header blocks. Enable to check whether value of parameter `SETTINGS_HEADER_TABLE_SIZE` in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly. The default is 65535. This field applies to HTTP/2 only.
	Number of Concurrent Streams	Specifies the maximum acceptable number of concurrent streams that the sender will allow the receiver to create. Enable to check whether value of parameter `SETTINGS_MAX_CONCURRENT_STREAMS` in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly. The default is 1000.
	Initial Window Size	Specifies the maximum acceptable sender's initial window size in bytes for stream-level flow control. Enable to check whether value of parameter `SETTINGS_INITIAL_WINDOW_SIZE` in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly. Default is 6291456.
	Frame Size	Specifies the maximum acceptable size in bytes of the frame payload that the sender is willing to receive. Enable to check whether value of parameter `SETTINGS_MAX_FRAME_SIZE` in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly. Default is 16384.
	Header List Size	Specifies the maximum acceptable size in bytes of the header list that the sender is prepared to accept. Enable to check whether value of parameter `SETTINGS_MAX_HEADER_LIST_SIZE` in a HTTP/2 SETTINGS frame exceeds the limitation and react correspondingly. Default is 65536.
Others
	Illegal Content Type	Enable to check whether the `Content Type:` value uses the format `<type>/<subtype>`.
	Illegal Response Code	Enable to check whether the HTTP response code is a 3-digit number.
	Illegal Host Name	Enable to check for illegal characters in the `Host:` line of the HTTP header, such as null characters or encoded characters. For example, `0x0` or `%00*` are illegal. Attack log messages contain `Illegal Host Name` when this feature detects an invalid host name.
	Illegal HTTP Version	Enable to check for invalid HTTP version numbers. Currently, the only valid version strings are `HTTP/0.9`, `HTTP/1.0` or `HTTP/1.1`. Attack log messages contain `Illegal HTTP Version` when this feature detects an invalid HTTP version number.
	Body Length	Specifies the maximum acceptable size in bytes of the HTTP body. For requests that use the HTTP `POST` method, this typically includes parameters submitted by HTML form inputs. In the case of file uploads, this can normally be many megabytes. For most simple forms, however, the body should be only a few kilobytes in size at maximum. Attack log messages contain `Body Length Exceeded` when this feature detects a body size buffer overflow attempt.
	Number of Cookies In Request	Specifies the maximum acceptable number of cookies in an HTTP request. Attack log messages contain `Too Many Cookies in Request` when this feature detects a cookie count buffer overflow attempt.
	Number of Ranges in Range Header	Specifies the maximum acceptable number of `Range:` lines in each HTTP header. The default value is 5. Attack log messages contain `Too Many Range Headers` when this feature detects too many `Range:` header lines. Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many `Range:` headers. The default value is appropriate for un-patched versions of Apache 2.0 and Apache 2.1.
	Malformed Request	Enable to inspect the request for: syntax errors exceeding the maximum buffer size allowed by FortiWeb’s HTTP parser Errors and buffer overflows can cause problems in web servers that do not handle them gracefully. Such problems can lead to security vulnerabilities. Attack log messages contain `Too Many Parameters` or `Too Many Flash Parameters` or another message that indicates the specific cause when this feature detects a request with parser errors or a FortiWeb buffer overflow attempt. Caution: Fortinet strongly recommends to enable this option unless large requests/parameters are required by the web application. If part of a request is too large for its scan buffer, FortiWeb cannot scan it for attacks. It also cannot perform rewrites. Unless you configure it to block, FortiWeb allows oversized requests to pass through without scanning or rewriting. This could allow padded attacks to pass through, and rewriting to be skipped. If feasible, instead of disabling this option: Enlarge the scan buffer for each parameter (see `http-cachesize` in the FortiWeb CLI Reference). Requests larger than the buffer will be flagged as potentially malformed by FortiWeb’s parser, causing FortiWeb to block normal requests (i.e. false positives). For more buffer specifications, see Buffer hardening. Disable this setting only for URLs that require oversized parameters (see Configuring HTTP protocol constraint exceptions)
	WebSocket Protocol	Enable to detect traffic that uses the WebSocket TCP-based protocol. Because FortiWeb acts as a pure socket proxy for WebSocket traffic, it cannot apply security features to it.
	Illegal Connection Preface	Enable to check whether a client connection preface start with the string `PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n`.
	Illegal Frame Type	Enable to check whether a HTTP2 request contains frame types that are not defined in RFC7540. Any undefined frame type will be treated as illegality.
	Illegal Frame Flags	Enable to check whether a HTTP2 request contains frame flags that are not defined in RFC7540. Any undefined frame flag will be treated as illegality.
	Illegal Chunk Size	Enable to check whether the value of Chunk Size field is a hexadecimal value. A violation will be detected if the value is presented in other numeral systems.

4. Configure these settings:

Setting name	Description
Name	Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.
Exception Name	Select the HTTP constraints exception, if any, that you want to apply to this policy (see Configuring HTTP protocol constraint exceptions). If you want to view or change the exception configuration, click Detail.
Status	Specify whether the rule applies when you apply this constraint to a profile.
Length	For rules that specify maximums, enter a maximum value.
Action	Select the action the FortiWeb appliance takes when it detects a violation of the rule: Alert — Accept the connection and generate an alert email and/or log message. Alert & Deny — Block the request (reset the connection) and generate an alert and/or log message. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages). Period Block — Block subsequent requests from the client for a number of seconds. Also configure Block Period. You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages). Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see Defining your proxies, clients, & X-headers). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type. The default value is Alert. Caution: This setting is ignored when Monitor Mode is enabled. Note: Logging and/or alert email occur only if you enable and configure it. See Logging and Alert email. Note: To use this rule set with auto-learning, select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption causes incomplete session information for auto-learning.
Block Period	Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule. This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 60. See also Monitoring currently blocked IPs.
Severity	When rule violations are recorded in the attack log, each log message contains a Severity Level (`severity_level`) field. Select which severity level to use when FortiWeb logs a violation of the rule: Low Medium High
Trigger Action	Select which trigger, if any, to use when FortiWeb logs and/or sends an alert email about a violation of the rule. See Viewing log messages.
HTTP Protocol Support	HTTP/1.X Only indicates the constraint is effective against HTTP/1.x traffic only. HTTP/2 Only indicates the constraint is effective against HTTP/2 traffic only. This field will be blank if the constraint is effective against both HTTP/1.x and HTTP/2 traffic.

5. Click OK.

6. To apply the HTTP protocol constraint profile, select it in an inline or offline protection profile (see Configuring a protection profile for inline topologies or Configuring a protection profile for an out-of-band topology or asynchronous mode of operation).

Configuring HTTP protocol constraint exceptions

You can configure exceptions for use with HTTP protocol constraints.

Exceptions define HTTP constraints that will not be subject to HTTP protocol constraint. Exceptions are useful when you know that some HTTP protocol constraints, during normal use, will cause false positives by matching an attack signature.

For example, if no exceptions are defined, FortiWeb executes the HTTP protocol constraint as defined in HTTP/HTTPS protocol constraints. But, if you mark the check box for Header Length in a HTTP protocol constraint exception for a specific host, FortiWeb will skip the HTTP header length check when executing the web protection profile for that host.

As another example, some web applications require very large HTTP POST requests. You can use Malformed Request to create an exception from the constraint for those requests.

To configure an HTTP constraint exception

1. Go to Web Protection > Protocol > HTTP Constraints Exception.

2. Click Create New.

A dialog appears.

3. In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 63 characters.

4. Click OK.

5. Click Create New to add an entry to the set.

A dialog appears.

6. Configure these settings:

Setting name		Description
Host Status		Enable to apply this HTTP constraint exception only to HTTP requests for specific web hosts. Also configure Host. Disable to apply the exceptions to all web hosts.
Host		Select the IP address or fully qualified domain name (FQDN) of the protected host to which this exception applies. This setting is available only if Host Status is enabled.
Source IP		Enable to check requests for matching the HTTP constraint exceptions rule by their source IP addresses.
IPv4/IPv6/IP Range		Specify the source IP of the protected requests to which this exception applies. Only a single IPv4 or IPv6 address, or a IPv4/IPv6 range is acceptable. This setting is available only if Host Status is enabled.
Request Type		Select whether the URL Pattern field will contain a literal URL (Simple String), or a regular expression designed to match multiple URLs (Regular Expression).
URL Pattern		Depending on your selection in the Request Type field, enter either: the literal URL, such as `/index.php`, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ). a regular expression, such as `^/.php`, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ); however, it must at match URLs that begin with a slash, such as `/index.cfm`. Do not include the domain name, such as `www.example.com`, which is configured separately in the Host* drop-down list. To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression (see Regular expression syntax).
Content Length
	Content Length	Enable to omit the constraint on the maximum acceptable size in bytes of the request body.
	Illegal Content Length	Enable to omit the constraint on whether the `Content-Length:` header includes numeric characters only.
HTTP Header
	Header Length	Enable to omit the constraint on the maximum acceptable size in bytes of the HTTP header.
	Header Name Length	Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header name.
	Header Value Length	Enable to omit the constraint on the maximum acceptable size in bytes of a single HTTP header value.
	Illegal Character in Header Name	Enable to omit the constraint on whether the HTTP header name contains illegal characters.
	Illegal Character in Header Value	Enable to omit the constraint on whether the HTTP header value contains illegal characters.
	Redundant HTTP Headers	Enable to omit the constraint on the redundant instances of `Content-Length`, `Content-Type` and `Host` herder fields.
HTTP Parameter
	Total URL Parameter Length	Enable to omit the constraint on the maximum acceptable size of an URL parameter (including the name and value).
	Total Body Parameters Length	Enable to omit the constraint on the maximum acceptable size in bytes of all parameters in the HTTP body of HTTP `POST` requests.
	Number of URL Parameters	Enable to omit the constraint on the maximum number of parameters in the URL.
	NULL Character in Parameter Name	Enable to omit the constraint on null characters in parameter names.
	NULL Character in Parameter Value	Enable to omit the constraint on null characters in parameter values.
	Maximum URL Parameter Name Length	Enable to omit the constraint on the maximum acceptable length in bytes of the parameter name.
	Maximum URL Parameter Value Length	Enable to omit the constraint on the maximum acceptable length in bytes of the parameter value.
	Illegal Character in Parameter Name	Enable to omit the constraint on illegal characters in the parameter name.
	Illegal Character in Parameter Value	Enable to omit the constraint on illegal characters in the parameter value.
HTTP Request
	Illegal HTTP Request Method	Enable to omit the constraint on to check for invalid HTTP version numbers.
	HTTP Request Filename Length	Enable to omit the constraint on the maximum acceptable length in bytes of the HTTP request filename.
	HTTP Request Length	Enable to omit the constraint on the maximum acceptable length in bytes of the HTTP request.
	Number of Header Lines In Request	Enable to omit the constraint on the maximum acceptable number of lines in the HTTP header.
	Post Request -- Missing Content Type	Enable to omit the constraint on whether the `Content-Type:` header is available.
Others
	Illegal Content Type	Enable to omit the constraint on whether the Content Type: value uses the format <type>/<subtype>.
	Illegal Response Code	Enable to omit the constraint on whether the HTTP response code is a 3-digit number.
	Illegal Host Name	Enable to omit the constraint on invalid characters in the `Host:` line of the HTTP header, such as null characters or encoded characters.
	Body Length	Enable to omit the constraint on the maximum acceptable size in bytes of the HTTP body.
	Number of Cookies In Request	Enable to omit the constraint on the maximum acceptable number of cookies in an HTTP request.
	Number of Ranges in Range Header	Enable to omit the constraint on the maximum acceptable number of `Range:` lines in an HTTP header. Tip: Some versions of Apache are vulnerable to a denial of service (DoS) attack on this header, where a malicious client floods the server with many `Range:` headers. If your web servers do not run Apache and are not vulnerable to this attack, mark this check box to omit it from the scan and improve performance.
	Malformed Request	Enable to omit the constraint on syntax and FortiWeb parsing errors. Caution: Some web applications require abnormal or very large HTTP `POST` requests. Since allowing such errors and excesses is generally bad practice and can lead to vulnerabilities, use this option to omit the malformed request scan only if absolutely necessary.

7. Click OK.

8. Repeat the previous steps for each rule you want to add to the exception.

9. Group the HTTP protocol constraint exception in an HTTP protocol constraint profile (see HTTP/HTTPS protocol constraints).