Refer to the exhibit.

You have deployed FortiWeb behind a FortiGate that is configured as a reverse proxy and inserts the X-Forwarded-For HTTP header when forwarding HTTP and HTTPS traffic.
FortiWeb is using a custom inline protection profile, and logging is enabled, as shown in the exhibit.
You notice that FortiWeb is blocking legitimate users, and all requests in the attack logs appear to come from the FortiGate IP address, not the original client IP address.
Which action should you take to fix this issue?
You are configuring the FortiWeb client-side protection feature to defend against browser-based attacks.
Based on the layered defense strategy, drag and drop each control to the corresponding stage of defense.

Refer to the exhibit.

You are configuring SSL offloading on FortiWeb to protect a public-facing application. Clients connect using HTTPS, while FortiWeb forwards requests to the back-end server using HTTP.
You are reviewing certificate deployment and need to decide where to install the private key for the certificate used in client connections.
In this SSL offloading setup, which device is responsible for using the private key associated with the web server certificate?
You are reviewing a report from your FortiWeb logs and notice a JavaScript payload like < script > document.cookie < /script > is submitted through a product review form. The page doesn’t filter the script, and when users view the review, their session cookies are exposed.
Why is this attack dangerous?