💪 Fortify

The Skinny

Fortify gives you full control over the HTTP headers of in-flight requests on a configurable route-by-route basis. You can also add arbitrary JavaScript to any response.

When a Configuration's Route URL does not match the incoming request:

graph LR; A[Browser] --> |request| B{Fortify} style B fill:#5EE5FB,stroke:#333,stroke-width:3px B --> |response| A B --> DD(GET yoursite.com) style DD fill:#FFF,stroke:#333,stroke-width:1px DD --> B

When a Configuration's Route URL does match the incoming request:

graph LR; A[Browser] --> |request| B{Fortify} B --> |response| A B --> C[Modify Request Headers] style B fill:#5EE5FB,stroke:#333,stroke-width:3px style C fill:#CAFB87,stroke:#333,stroke-width:3px C --> D(GET yoursite.com) style D fill:#FFF,stroke:#333,stroke-width:1px D --> E[Modify Response Headers and Code] style E fill:#FAC37E,stroke:#333,stroke-width:3px E --> B

How to Install

Powered by Cloudflare

Fortify is powered by Cloudflare. If you're already using Cloudflare, click here to install Fortify.


Cloudflare offers DDoS protection, a global CDN, SSL certificates, and a lot more cool stuff for free. You should probably use it.

Getting Started

After installation, activate Fortify by clicking the link in the email we sent you.

Learn more about Fortify and troubleshooting in the following sections:

Have a Twitter account? Extend your free trial!

Visit fortify.networkchimp.com/extend for more details.

Upgrade to Unlimited

Looking for the unlimited plan? You can find it here.


You can get the gist of how Fortify works from the installation page, but we'll dig into the full configuration details below below.

Advanced Options

The following Advanced Options are available:

Disable Fortify

Enable this to temporarily disable Fortify on all requests without uninstalling it.

Route Options

The following Route Options are available:

Route URL

Any headers or scripts configured on this route will be attached to matching requests. A Route URL can be any URL on your domain and may include subdomains and wildcards.

It is important that a full URL is specified here. Fortify won't like it if you supply a path like /store here. It requires a URL like yoursite.com/store to work right. Here's some more examples in an informative table.

Route URL Result
/sad/path ERROR!
blog.yoursite.com/hi matches /hi path of blog.yoursite.com
blog.yoursite.com/* matches all of blog.yoursite.com
*.yoursite.com matches root of any subdomain on yoursite.com
*.yoursite.com/* matches all paths of every subdomain on yoursite.com
*yoursite.com* matches all requests on yoursite.com


Fortify ignores HTTP protocols when matching routes.

http://www.yoursite.com and https://www.yoursite.com will both match www.yoursite.com

Wildcard configurations match subroute requests and can be extended by subroute configurations.

For example, say we have two route configurations:

Route URL Response Headers
*yoursite.com* global-header: hello-everything
*yoursite.com/blog/* blog-header: hello-blog
*yoursite.com/blog route-header: hello-route

Requests to www.yoursite.com/blog will only be tagged with global-header and route-header.

Requests to www.yoursite.com/blog/post-1 will be tagged with global-header, blog-header, and route-header.

In another case, say we have the following two route configurations:

For example, say we have two route configurations:

Route URL Injected Body Scripts
*yoursite.com* <script>console.log('parent')</script>
*yoursite.com/blog <script>console.log('child')</script>

Visitors to www.yoursite.com/blog will see both parent and child in the console.

Configuration Notes

Write a note to yourself to remind yourself what your header configuration is doing! You'll be glad you did.


You'll probably forget what your configuration does by the next time you revisit Fortify.

Enforce HTTPS

Forcibly upgrade all insecure GET requests to HTTPS and forbid insecure non-GET requests with a 403 status code on this route. If multiple routes match a page, Enforce HTTPS on the child page takes precedent.

Request Headers

Enumerate any request headers here. Each header should be well-formed and new-line separated. In other words, make sure your header name has valid syntax and hit enter after each header you type. Here's what request headers might look like in your Fortify configuration.

hey-server: its-client
Some-Other-Header: im bald lol
athirdheader: you get the point

Response Headers

Same story as above but these headers are tagged onto the response from the origin and sent back to the client.

Deleted Request Headers

Enumerate any request headers that should be deleted. Each header should be well-formed and new-line separated.

Deleted Response Headers

Same story as above but with response headers.

Injected Head Scripts

Inject any well-formed Javascript wrapped with <script></script> tags into the <head> of the DOM. Injected scripts must be wrapped in well-formed script tags. Multiple scripts can be included. For example,

  console.log('greetings from the head')

<script src="https://yoursite.com/your/script.js"></script>

Injected Body Scripts

Same as above but scripts will be injected into the page's <body>.

Managed Headers

Enjoy powerful header management options geared toward maximizing security and performance.

The following Managed Headers are available on each route configuration:


A server can set Fingerprint Headers to identify itself like X-Powered-By: PHP 5.4.37 or Server: LiteSpeed. This information facilitates exploitation of known vulnerabilities in the server architecture. You should probably remove these unless you have a specfic reason not to. The following headers are modified by this configuration:

X-Powered-By, Server, X-AspNet-Version

Configuration options:

Remove Headers

Enable this to remove the above fingerprint headers from your response headers.

Set Headers

Set this to assign the above fingerprint headers to the value of your choice to confuse attackers.


Set Headers will override Remove Headers if both are set.

DNS prefetching

Prefetch DNS requests to reduce page load times. Learn more on MDN.

Site embeddability

Indicate whether a browser should be allowed to render your page in an iframe, frame, embed, or object. If your site doesn't need to be embeddable, enabling this can help prevent clickjacking attacks. Learn more on MDN. Fortify does not support the ALLOW-FROM directive because its not compatible with Chrome or Safari.

Site embeddability options
Option Description
Disable Prevent your page from being embedded on any site
Your Site Only Prevent your page from being embeddable except on your own site

Browser caching

Attempt to evict your site resources from the requesting browser's cache. This is useful if you want to force users to downloaded updated versions of your site resources. Learn more on MDN.

Enabling this sets the following headers to disable caching:

Cache-Control, Pragma, Expires, Surrogate-Control

MIME type sniffing

Direct browsers not to infer MIME types on script and other tags that can lead to security vulnerabilities Learn more on MSDN.

XSS protection

Cross-side scripting accounts for a majority of security vulnerabilities on the web. XSS Protection headers are an important part of your mitigation strategy. Learn more on MDN.

XSS protection options
Option Description
Enable Sets xss protection header in most browsers
Report URI Location to send xss violation reports (can be pathname or full url)


Fortify automatically disables this header on older versions of Internet Explorer that are prone to attack

HTTP Strict Transport Security

Force browsers to make secure HTTPS connections when they visit a specified website to prevent cookie highjacking and protocol downgrade attacks. Learn more on MDN.

Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. -Patrick Nohe

XSS protection options
Option Description
Max Age Duration in seconds that browsers should enforce HTTPS on your domain
Exclude subdomains Only enforce HSTS on your root domain but not subdomains
Preload your domain Tell browsers to preload your site as HTTPS-only (enrollment required). Enroll at hstspreload.org.


There's nothing here yet.