Fortify gives you full control over the HTTP headers of in-flight requests on a configurable route-by-route basis.
When a Configuration's Route URL does not match the incoming request:
When a Configuration's Route URL does match the incoming request:
In other words, Fortify adds any headers you want to incoming requests on matching routes.
You can install it for free and unlock additional features with the Pro plan.
Check out this tutorial to see it in action.
How to Install
Powered by Cloudflare
Cloudflare offers DDoS protection, a global CDN, SSL certificates, and a lot more cool stuff for free. You should probably use it.
You can get the gist of how Fortify works from the Cheatsheet on the installation page, but we'll dig into the full configuration details below below.
The following Advanced Options are available:
Enable this to temporarily disable Fortify on all requests without uninstalling it.
[Pro or higher] Forcibly upgrade all insecure
GET requests to HTTPS and forbid insecure non-
GET requests with a
403 status code.
The following Header Options are available on the Free and Pro plans:
OPTIONAL Configuration Notes
Write a note to yourself to remind yourself what your header configuration is doing! You'll be glad you did.
You'll probably forget what your configuration does by the next time you revisit Fortify.
OPTIONAL Request Headers
Enumerate any request headers here. Each header should be well-formed and new-line separated. In other words, make sure your header name has valid syntax and hit
enter after each header you type. Here's what request headers might look like in your Quick configuration.
hey-server: its-client Some-Other-Header: im bald lol athirdheader: you get the point
OPTIONAL Response Headers
Same story as above but these headers are tagged onto the response from the origin and sent back to the client.
In addition to the above options, the Pro plan unlocks route-based routing with wildcard matching.
This Route Option is available on the Pro plan:
REQUIRED Route URL
Any headers set on this route will be attached to matching requests. This can be any URL on your domain and can include subdomains and wildcards. It is important that a full URL is specified here. Fortify won't like it if you supply a path like
/store here. It requires a URL like
yoursite.com/store to work right. Here's some more examples in an informative table.
| ||matches /hi path of blog.yoursite.com|
| ||matches all of blog.yoursite.com|
| ||matches root of any subdomain on yoursite.com|
| ||matches all paths of every subdomain on yoursite.com|
| ||matches all requests on yoursite.com|
Fortify ignores HTTP protocols when matching routes.
http://www.yoursite.com and https://www.yoursite.com will both match www.yoursite.com
Wildcard configurations match subroute requests and can be extended by subroute configurations.
For example, say we have two route configurations:
|Route URL||Response Headers|
Requests to www.yoursite.com/blog will only be tagged with global-header and route-header.
Requests to www.yoursite.com/blog/post-1 will be tagged with global-header, blog-header, and route-header.
COMING SOON Managed Headers
In addition to the above options, the Secure plan unlocks powerful header management options geared toward maximizing security and performance.
The following Managed Headers are available on each route configuration on the Secure plan:
- Fingerprinting RECOMMENDED
- DNS prefetching
- Site embeddability RECOMMENDED
- Browser caching
- MIME type sniffing
- XSS protection RECOMMENDED
- HTTP Strict Transport Security RECOMMENDED
A server can set Fingerprint Headers to identify itself like
X-Powered-By: PHP 5.4.37 or
Server: LiteSpeed. This information facilitates exploitation of known vulnerabilities in the server architecture. You should probably remove these unless you have a specfic reason not to. The following headers are modified by this configuration:
X-Powered-By, Server, X-AspNet-Version
Enable this to remove the above fingerprint headers from your response headers.
Set this to assign the above fingerprint headers to the value of your choice to confuse attackers.
Set Headers will override
Remove Headers if both are set.
OPTIONAL DNS prefetching
Prefetch DNS requests to reduce page load times. Learn more on MDN.
OPTIONAL Site embeddability
Indicate whether a browser should be allowed to render your page in an
object. If your site doesn't need to be embeddable, enabling this can help prevent clickjacking attacks. Learn more on MDN. Fortify does not support the
ALLOW-FROM directive because its not compatible with Chrome or Safari.
|Site embeddability options|
|Disable||Prevent your page from being embedded on any site|
|Your Site Only||Prevent your page from being embeddable except on your own site|
OPTIONAL Browser caching
Attempt to evict your site resources from the requesting browser's cache. This is useful if you want to force users to downloaded updated versions of your site resources. Learn more on MDN.
Enabling this sets the following headers to disable caching:
Cache-Control, Pragma, Expires, Surrogate-Control
OPTIONAL MIME type sniffing
Direct browsers not to infer MIME types on
script and other tags that can lead to security vulnerabilities Learn more on MSDN.
OPTIONAL XSS protection
Cross-side scripting accounts for a majority of security vulnerabilities on the web. XSS Protection headers are an important part of your mitigation strategy. Learn more on MDN.
|XSS protection options|
|Enable||Sets xss protection header in most browsers|
|Report URI||Location to send xss violation reports (can be pathname or full url)|
Fortify automatically disables this header on older versions of Internet Explorer that are prone to attack
OPTIONAL HTTP Strict Transport Security
Force browsers to make secure HTTPS connections when they visit a specified website to prevent cookie highjacking and protocol downgrade attacks. Learn more on MDN.
Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. -Patrick Nohe
|XSS protection options|
|Max Age||Duration in seconds that browsers should enforce HTTPS on your domain|
|Exclude subdomains||Only enforce HSTS on your root domain but not subdomains|
|Preload your domain||Tell browsers to preload your site as HTTPS-only (enrollment required). Enroll at hstspreload.org.|