FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ericwang_FTNT
Article Id 193545
Description
PCI compliance reports feature an issue called 'HTTP Security Header notdetected', with a sub-section on X-Content-Type-Options HTTP header on FortiOS web administration interface (usually on port 443).

"""
X-Content-Type-Options: This HTTP header prevents attacks based on MIME-type mismatch. The only possible value is 'nosniff' if the server returns.
X-Content-Type-Options: 'nosniff' in the response, the browser will refuse to load the styles and scripts in case they have an incorrect MIMEtype.

"""
Based on the test described in [2], MIME sniffing [1] is only possible on old versions of the Internet Explorer browser [3]; since FortiOS officially only supports modern Edge, Firefox, Chrome and Safari browsers, the risk is inexistant in practice.

Scope
FortiOS web administration interface.

Solution
Avoid using Internet Explorer to access the FortiOS administration interface and always keep the browser up to date.

Reference.

[1] https://www.keycdn.com/support/what-is-mime-sniffing

[2] http://pwndizzle.blogspot.com/2015/07/xss-extensions-and-content-types.html

[3] https://blogs.msdn.microsoft.com/ie/2010/10/26/mime-handling-changes-in-internet-explorer/

Contributors