💪 Fortify

The Skinny

Fortify gives you full control over the HTTP headers of in-flight requests on a configurable route-by-route basis.

When a Configuration's Route URL does not match the incoming request:

graph LR; A[Browser] --> |request| B{Fortify} style B fill:#5EE5FB,stroke:#333,stroke-width:3px B --> |response| A B --> DD(GET yoursite.com) style DD fill:#FFF,stroke:#333,stroke-width:1px DD --> B

When a Configuration's Route URL does match the incoming request:

graph LR; A[Browser] --> |request| B{Fortify} B --> |response| A B --> C[Add Request Headers] style B fill:#5EE5FB,stroke:#333,stroke-width:3px style C fill:#CAFB87,stroke:#333,stroke-width:3px C --> D(GET yoursite.com) style D fill:#FFF,stroke:#333,stroke-width:1px D --> E[Add Response Headers] style E fill:#FAC37E,stroke:#333,stroke-width:3px E --> B

In other words, Fortify adds any headers you want to incoming requests on matching routes.

You can install it for free and unlock additional features with the Pro plan.

Tutorial

Check out this tutorial to see it in action.

How to Install

Powered by Cloudflare

Fortify is powered by Cloudflare. If you're already using Cloudflare, click here to install Fortify.

Cloudflare offers DDoS protection, a global CDN, SSL certificates, and a lot more cool stuff for free. You should probably use it.

Configuration

You can get the gist of how Fortify works from the Cheatsheet on the installation page, but we'll dig into the full configuration details below below.

Advanced Options

The following Advanced Options are available:

Disable Fortify

Enable this to temporarily disable Fortify on all requests without uninstalling it.

Enforce HTTPS

[Pro or higher] Forcibly upgrade all insecure GET requests to HTTPS and forbid insecure non-GET requests with a 403 status code.

Header Options

The following Header Options are available on the Free and Pro plans:

Configuration Notes
OPTIONAL

Write a note to yourself to remind yourself what your header configuration is doing! You'll be glad you did.

PROTIP

You'll probably forget what your configuration does by the next time you revisit Fortify.

Request Headers
OPTIONAL

Enumerate any request headers here. Each header should be well-formed and new-line separated. In other words, make sure your header name has valid syntax and hit enter after each header you type. Here's what request headers might look like in your Quick configuration.

hey-server: its-client
Some-Other-Header: im bald lol
athirdheader: you get the point

Response Headers
OPTIONAL

Same story as above but these headers are tagged onto the response from the origin and sent back to the client.

Route Options

In addition to the above options, the Pro plan unlocks route-based routing with wildcard matching.

This Route Option is available on the Pro plan:

Route URL
REQUIRED

Any headers set on this route will be attached to matching requests. This can be any URL on your domain and can include subdomains and wildcards. It is important that a full URL is specified here. Fortify won't like it if you supply a path like /store here. It requires a URL like yoursite.com/store to work right. Here's some more examples in an informative table.

Route URL Result
/sad/path ERROR!
blog.yoursite.com/hi matches /hi path of blog.yoursite.com
blog.yoursite.com/* matches all of blog.yoursite.com
*.yoursite.com matches root of any subdomain on yoursite.com
*.yoursite.com/* matches all paths of every subdomain on yoursite.com
*yoursite.com* matches all requests on yoursite.com

Fortify ignores HTTP protocols when matching routes.

http://www.yoursite.com and https://www.yoursite.com will both match www.yoursite.com

Wildcard configurations match subroute requests and can be extended by subroute configurations.

For example, say we have two route configurations:

Route URL Response Headers
*yoursite.com* global-header: hello-everything
*yoursite.com/blog/* blog-header: hello-blog
*yoursite.com/blog route-header: hello-route

Requests to www.yoursite.com/blog will only be tagged with global-header and route-header.

Requests to www.yoursite.com/blog/post-1 will be tagged with global-header, blog-header, and route-header.

Managed Headers
COMING SOON

In addition to the above options, the Secure plan unlocks powerful header management options geared toward maximizing security and performance.

The following Managed Headers are available on each route configuration on the Secure plan:

Fingerprinting
OPTIONAL

A server can set Fingerprint Headers to identify itself like X-Powered-By: PHP 5.4.37 or Server: LiteSpeed. This information facilitates exploitation of known vulnerabilities in the server architecture. You should probably remove these unless you have a specfic reason not to. The following headers are modified by this configuration:

X-Powered-By, Server, X-AspNet-Version

Configuration options:

Remove Headers

Enable this to remove the above fingerprint headers from your response headers.

Set Headers

Set this to assign the above fingerprint headers to the value of your choice to confuse attackers.

Set Headers will override Remove Headers if both are set.

DNS prefetching
OPTIONAL

Prefetch DNS requests to reduce page load times. Learn more on MDN.

Site embeddability
OPTIONAL

Indicate whether a browser should be allowed to render your page in an iframe, frame, embed, or object. If your site doesn't need to be embeddable, enabling this can help prevent clickjacking attacks. Learn more on MDN. Fortify does not support the ALLOW-FROM directive because its not compatible with Chrome or Safari.

Site embeddability options
Option Description
Disable Prevent your page from being embedded on any site
Your Site Only Prevent your page from being embeddable except on your own site

Browser caching
OPTIONAL

Attempt to evict your site resources from the requesting browser's cache. This is useful if you want to force users to downloaded updated versions of your site resources. Learn more on MDN.

Enabling this sets the following headers to disable caching:

Cache-Control, Pragma, Expires, Surrogate-Control

MIME type sniffing
OPTIONAL

Direct browsers not to infer MIME types on script and other tags that can lead to security vulnerabilities Learn more on MSDN.

XSS protection
OPTIONAL

Cross-side scripting accounts for a majority of security vulnerabilities on the web. XSS Protection headers are an important part of your mitigation strategy. Learn more on MDN.

XSS protection options
Option Description
Enable Sets xss protection header in most browsers
Report URI Location to send xss violation reports (can be pathname or full url)

Fortify automatically disables this header on older versions of Internet Explorer that are prone to attack

HTTP Strict Transport Security
OPTIONAL

Force browsers to make secure HTTPS connections when they visit a specified website to prevent cookie highjacking and protocol downgrade attacks. Learn more on MDN.

Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. -Patrick Nohe

XSS protection options
Option Description
Max Age Duration in seconds that browsers should enforce HTTPS on your domain
Exclude subdomains Only enforce HSTS on your root domain but not subdomains
Preload your domain Tell browsers to preload your site as HTTPS-only (enrollment required). Enroll at hstspreload.org.