💪 Fortify
The Skinny
Fortify gives you full control over the HTTP headers of in-flight requests on a configurable route-by-route basis. You can also add arbitrary JavaScript to any response.
When a Configuration's Route URL does not match the incoming request:
When a Configuration's Route URL does match the incoming request:
How to Install
Powered by Cloudflare
Fortify is powered by Cloudflare. If you're already using Cloudflare, click here to install Fortify.
TIP
Cloudflare offers DDoS protection, a global CDN, SSL certificates, and a lot more cool stuff for free. You should probably use it.
Getting Started
After installation, activate Fortify by clicking the link in the email we sent you.
Learn more about Fortify and troubleshooting in the following sections:
Have a Twitter account? Extend your free trial!
Visit fortify.networkchimp.com/extend for more details.
Upgrade to Unlimited
Looking for the unlimited plan? You can find it here.
Configuration
You can get the gist of how Fortify works from the installation page, but we'll dig into the full configuration details below below.
Advanced Options
The following Advanced Options are available:
Disable Fortify
Enable this to temporarily disable Fortify on all requests without uninstalling it.
Route Options
The following Route Options are available:
- Route URL
- Configuration Notes
- Enforce HTTPS
- Request Headers
- Response Headers
- Deleted Request Headers
- Deleted Response Headers
- Injected Head Scripts
- Injected Body Scripts
Route URL REQUIRED
Any headers or scripts configured on this route will be attached to matching requests. A Route URL can be any URL on your domain and may include subdomains and wildcards.
It is important that a full URL is specified here. Fortify won't like it if you supply a path like /store here. It requires a URL like yoursite.com/store to work right. Here's some more examples in an informative table.
| Route URL | Result |
|---|---|
/sad/path | ERROR! |
blog.yoursite.com/hi | matches /hi path of blog.yoursite.com |
blog.yoursite.com/* | matches all of blog.yoursite.com |
*.yoursite.com | matches root of any subdomain on yoursite.com |
*.yoursite.com/* | matches all paths of every subdomain on yoursite.com |
*yoursite.com* | matches all requests on yoursite.com |
TIP
Fortify ignores HTTP protocols when matching routes.
http://www.yoursite.com and https://www.yoursite.com will both match www.yoursite.com
Wildcard configurations match subroute requests and can be extended by subroute configurations.
For example, say we have two route configurations:
| Route URL | Response Headers |
|---|---|
*yoursite.com* | global-header: hello-everything |
*yoursite.com/blog/* | blog-header: hello-blog |
*yoursite.com/blog | route-header: hello-route |
Requests to www.yoursite.com/blog will only be tagged with global-header and route-header.
Requests to www.yoursite.com/blog/post-1 will be tagged with global-header, blog-header, and route-header.
In another case, say we have the following two route configurations:
For example, say we have two route configurations:
| Route URL | Injected Body Scripts |
|---|---|
*yoursite.com* | <script>console.log('parent')</script> |
*yoursite.com/blog | <script>console.log('child')</script> |
Visitors to www.yoursite.com/blog will see both parent and child in the console.
Configuration Notes OPTIONAL
Write a note to yourself to remind yourself what your header configuration is doing! You'll be glad you did.
PROTIP
You'll probably forget what your configuration does by the next time you revisit Fortify.
Enforce HTTPS
Forcibly upgrade all insecure GET requests to HTTPS and forbid insecure non-GET requests with a 403 status code on this route. If multiple routes match a page, Enforce HTTPS on the child page takes precedent.
Request Headers OPTIONAL
Enumerate any request headers here. Each header should be well-formed and new-line separated. In other words, make sure your header name has valid syntax and hit enter after each header you type. Here's what request headers might look like in your Fortify configuration.
hey-server: its-client
Some-Other-Header: im bald lol
athirdheader: you get the point
Response Headers OPTIONAL
Same story as above but these headers are tagged onto the response from the origin and sent back to the client.
Deleted Request Headers OPTIONAL
Enumerate any request headers that should be deleted. Each header should be well-formed and new-line separated.
Deleted Response Headers OPTIONAL
Same story as above but with response headers.
Injected Head Scripts OPTIONAL
Inject any well-formed Javascript wrapped with <script></script> tags into the <head> of the DOM. Injected scripts must be wrapped in well-formed script tags. Multiple scripts can be included. For example,
<script>
console.log('greetings from the head')
</script>
<script src="https://yoursite.com/your/script.js"></script>
Injected Body Scripts OPTIONAL
Same as above but scripts will be injected into the page's <body>.
Managed Headers
Enjoy powerful header management options geared toward maximizing security and performance.
The following Managed Headers are available on each route configuration:
- Fingerprinting RECOMMENDED
- DNS prefetching
- Site embeddability RECOMMENDED
- Browser caching
- MIME type sniffing
- XSS protection RECOMMENDED
- HTTP Strict Transport Security RECOMMENDED
Fingerprinting OPTIONAL
A server can set Fingerprint Headers to identify itself like X-Powered-By: PHP 5.4.37 or Server: LiteSpeed. This information facilitates exploitation of known vulnerabilities in the server architecture. You should probably remove these unless you have a specfic reason not to. The following headers are modified by this configuration:
X-Powered-By, Server, X-AspNet-Version
Configuration options:
Remove Headers
Enable this to remove the above fingerprint headers from your response headers.
Set Headers
Set this to assign the above fingerprint headers to the value of your choice to confuse attackers.
TIP
Set Headers will override Remove Headers if both are set.
DNS prefetching OPTIONAL
Prefetch DNS requests to reduce page load times. Learn more on MDN.
Site embeddability OPTIONAL
Indicate whether a browser should be allowed to render your page in an iframe, frame, embed, or object. If your site doesn't need to be embeddable, enabling this can help prevent clickjacking attacks. Learn more on MDN. Fortify does not support the ALLOW-FROM directive because its not compatible with Chrome or Safari.
| Site embeddability options | |
|---|---|
| Option | Description |
| Disable | Prevent your page from being embedded on any site |
| Your Site Only | Prevent your page from being embeddable except on your own site |
Browser caching OPTIONAL
Attempt to evict your site resources from the requesting browser's cache. This is useful if you want to force users to downloaded updated versions of your site resources. Learn more on MDN.
Enabling this sets the following headers to disable caching:
Cache-Control, Pragma, Expires, Surrogate-Control
MIME type sniffing OPTIONAL
Direct browsers not to infer MIME types on script and other tags that can lead to security vulnerabilities Learn more on MSDN.
XSS protection OPTIONAL
Cross-side scripting accounts for a majority of security vulnerabilities on the web. XSS Protection headers are an important part of your mitigation strategy. Learn more on MDN.
| XSS protection options | |
|---|---|
| Option | Description |
| Enable | Sets xss protection header in most browsers |
| Report URI | Location to send xss violation reports (can be pathname or full url) |
TIP
Fortify automatically disables this header on older versions of Internet Explorer that are prone to attack
HTTP Strict Transport Security OPTIONAL
Force browsers to make secure HTTPS connections when they visit a specified website to prevent cookie highjacking and protocol downgrade attacks. Learn more on MDN.
Not having HSTS is like putting a nice big padlock on the front door of your website, but accidentally leaving a window unlocked. -Patrick Nohe
| XSS protection options | |
|---|---|
| Option | Description |
| Max Age | Duration in seconds that browsers should enforce HTTPS on your domain |
| Exclude subdomains | Only enforce HSTS on your root domain but not subdomains |
| Preload your domain | Tell browsers to preload your site as HTTPS-only (enrollment required). Enroll at hstspreload.org. |
FAQ
There's nothing here yet.