Example Co. web hosting needs to enforce reasonably secure passwords on web applications that do not provide this feature themselves. Since end users already authenticate with the web applications, Example Co. does not need to configure FortiWeb with user accounts to apply authentication — in other words, authentication offloading is not required. Instead, they simply need to enforce the security policy in the authentication transactions that already exist between the clients and web servers.

To do this, Example Co. would configure and apply an input rule (see “Validating parameters (“input rules”)”). This rule either could use a predefined data type to require password complexity (Level 2 Password — see “Predefined data types”), or could use a custom-defined data type to allow or require additional special characters for additional strength (see “Defining custom data types”).