Fortinet black logo

Handbook

Configuring Cross-Origin Resource Sharing (CORS) protection

Configuring Cross-Origin Resource Sharing (CORS) protection

Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.

However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.

To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.

Configuration overview

To enable the CORS protection functionality, you need to configure the following:

After you have configured your CORS Protection, you can add it to your WAF profile configuration under the Input Protection section. For more information, see Configuring a WAF Profile.

Configuring the Allowed Origin List

The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.

You can create and configure the Allowed Origin List from the Allowed Origin tab or as part of the CORS Protection Rule List.

The CORS Protection configuration requires Allowed Origin to function correctly. If the Allowed Origin List is not applied, the CORS Protection would not work as the empty list would not match the condition.

To create and configure the Allowed Origin List from Allowed Origin tab:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the Allowed Origin tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Allowed Origin cannot be changed.

  4. Click Save.
    The newly created Allowed Origin is listed under the Allowed Origin tab.
  5. Locate the newly created Allowed Origin on the list and double-click the row or click the (Edit icon).
  6. Under Allowed Origin List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Protocol

    Select which type of protocols are allowed for the connections between foreign applications and your application.

    • HTTP

    • HTTPS

    • ANY

    The default is HTTP.

    Origin Name

    Enter the foreign application's domain name or IP address.

    Wildcards are supported. (Range: 1-128 characters).

    Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
    Include Sub Domains

    Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

    This is disabled by default.

  7. Click Save.
To create and configure the Allowed Origin List as part of the CORS Protection Rule List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Protection tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an CORS Protection cannot be changed.

    Status

    Enable/disable CORS protection. This is disabled by default.

    Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

  4. Click Save.
    The newly created CORS Protection is listed under the CORS Protection tab.
  5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
  6. Under CORS Protection Rule List, click Create New to display the configuration editor.
  7. In the Allow Origin field, select Create New from the drop-down.
    The Allowed Origin configuration editor is displayed.
  8. Configure the following:

    Parameter

    Description

    Name

    Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Allowed Origin cannot be changed.

  9. Click Save.
  10. Under Allowed Origin List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Protocol

    Select which type of protocols are allowed for the connections between foreign applications and your application.

    • HTTP

    • HTTPS

    • ANY

    The default is HTTP.

    Origin Name

    Enter the foreign application's domain name or IP address.

    Wildcards are supported. (Range: 1-128 characters).

    Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
    Include Sub Domains

    Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

    This is disabled by default.

  11. Click Save.

Configuring the CORS Headers List

The CORS Headers List specifies the HTTP headers that may be "allowed" or "exposed" in the CORS Protection Rule List. If allowed, FortiADC will use the headers list to verify whether the headers used in the CORS requests are legitimate. If exposed, FortiADC will expose the headers in the headers list in JavaScript and share with foreign applications.

The CORS Headers List can be optional as it is only required if Allowed Headers or Exposed Headers is enabled in the CORS Protection Rule List.

To create and configure the CORS Headers List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Headers tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Headers name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of a CORS Headers cannot be changed.

  4. Click Save.
    The newly created CORS Headers is listed under the CORS Headers tab.
  5. Locate the newly created CORS Headers on the list and double-click the row or click the (Edit icon).
  6. Under CORS Headers List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Header

    Specify the HTTP header as a string. (Range: 1-63 characters).

  7. Click Save.

Configuring the CORS Protection Rule List

The CORS Protection Rule List defines the actions FortiADC may take to protect the Cross-Origin Resource Sharing using the Allowed Origin and optionally, the CORS Headers.

To create and configure the CORS Protection Rule List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Protection tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an CORS Protection cannot be changed.

    Status

    Enable/disable CORS protection. This is disabled by default.

    Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

  4. Click Save.
    The newly created CORS Protection is listed under the CORS Protection tab.
  5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
  6. Under CORS Protection Rule List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Action

    Specify the WAF action:

    • alert

    • deny

    • block

    • silent-block

    The default action is block.

    Host Status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
    Host Name

    This option appears if Host Status is enabled.

    Specify the host name.

    Request URL

    Specify the request URL as a regular expression. The maximum length is 8192 characters.

    Allowed Origin

    Specify the name of the Allowed Origin.

    From the drop-down, you may select previously configured Allowed Origin or select Create New to create and configure an Allowed Origin directly. For detailed steps, see Configuring the Allowed Origin List.

    The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

    Insert Allow Credentials

    Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

    Allowed Credentials

    This option appears if Insert Allow Credentials is enabled.

    Select one of the following options:

    • True

    • False

    If the selected Allowed Origin is set to *, then do not select True for Allowed Credentials.

    Insert Max Age

    Enable/disable to specify a maximum time period before the result of the preflight request expires.

    Allowed Maximum Age

    This option appears if Insert Max Age is enabled.

    Specify the maximum time period in seconds. (Range: 0-86400, default: 0).

    Allowed Methods

    Enable/disable to allow FortiADC to use the Methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

    Methods

    This option appears if Allowed Methods is enabled.

    Specify the method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    Allowed Headers

    Enable/disable to allow FortiADC to use the CORS Headers List to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

    Allowed Headers List

    This option appears if Allowed Headers is enabled.

    Specify the name of the CORS Headers List to allow.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring the CORS Headers List.

    FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    Enable/disable to allow FortiADC to expose the specified headers in the CORS Headers List in JavaScript and share with foreign applications. This is disabled by default.

    Exposed Headers List

    This option appears if Exposed Headers is enabled.

    Specify the name of the CORS Headers List to expose.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring the CORS Headers List.

    FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

  7. Click Save.

Configuring Cross-Origin Resource Sharing (CORS) protection

Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.

However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.

To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.

Configuration overview

To enable the CORS protection functionality, you need to configure the following:

After you have configured your CORS Protection, you can add it to your WAF profile configuration under the Input Protection section. For more information, see Configuring a WAF Profile.

Configuring the Allowed Origin List

The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.

You can create and configure the Allowed Origin List from the Allowed Origin tab or as part of the CORS Protection Rule List.

The CORS Protection configuration requires Allowed Origin to function correctly. If the Allowed Origin List is not applied, the CORS Protection would not work as the empty list would not match the condition.

To create and configure the Allowed Origin List from Allowed Origin tab:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the Allowed Origin tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Allowed Origin cannot be changed.

  4. Click Save.
    The newly created Allowed Origin is listed under the Allowed Origin tab.
  5. Locate the newly created Allowed Origin on the list and double-click the row or click the (Edit icon).
  6. Under Allowed Origin List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Protocol

    Select which type of protocols are allowed for the connections between foreign applications and your application.

    • HTTP

    • HTTPS

    • ANY

    The default is HTTP.

    Origin Name

    Enter the foreign application's domain name or IP address.

    Wildcards are supported. (Range: 1-128 characters).

    Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
    Include Sub Domains

    Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

    This is disabled by default.

  7. Click Save.
To create and configure the Allowed Origin List as part of the CORS Protection Rule List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Protection tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an CORS Protection cannot be changed.

    Status

    Enable/disable CORS protection. This is disabled by default.

    Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

  4. Click Save.
    The newly created CORS Protection is listed under the CORS Protection tab.
  5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
  6. Under CORS Protection Rule List, click Create New to display the configuration editor.
  7. In the Allow Origin field, select Create New from the drop-down.
    The Allowed Origin configuration editor is displayed.
  8. Configure the following:

    Parameter

    Description

    Name

    Enter a unique Allowed Origin name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an Allowed Origin cannot be changed.

  9. Click Save.
  10. Under Allowed Origin List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Protocol

    Select which type of protocols are allowed for the connections between foreign applications and your application.

    • HTTP

    • HTTPS

    • ANY

    The default is HTTP.

    Origin Name

    Enter the foreign application's domain name or IP address.

    Wildcards are supported. (Range: 1-128 characters).

    Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80).
    Include Sub Domains

    Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.

    This is disabled by default.

  11. Click Save.

Configuring the CORS Headers List

The CORS Headers List specifies the HTTP headers that may be "allowed" or "exposed" in the CORS Protection Rule List. If allowed, FortiADC will use the headers list to verify whether the headers used in the CORS requests are legitimate. If exposed, FortiADC will expose the headers in the headers list in JavaScript and share with foreign applications.

The CORS Headers List can be optional as it is only required if Allowed Headers or Exposed Headers is enabled in the CORS Protection Rule List.

To create and configure the CORS Headers List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Headers tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Headers name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of a CORS Headers cannot be changed.

  4. Click Save.
    The newly created CORS Headers is listed under the CORS Headers tab.
  5. Locate the newly created CORS Headers on the list and double-click the row or click the (Edit icon).
  6. Under CORS Headers List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Header

    Specify the HTTP header as a string. (Range: 1-63 characters).

  7. Click Save.

Configuring the CORS Protection Rule List

The CORS Protection Rule List defines the actions FortiADC may take to protect the Cross-Origin Resource Sharing using the Allowed Origin and optionally, the CORS Headers.

To create and configure the CORS Protection Rule List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Protection tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an CORS Protection cannot be changed.

    Status

    Enable/disable CORS protection. This is disabled by default.

    Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

  4. Click Save.
    The newly created CORS Protection is listed under the CORS Protection tab.
  5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
  6. Under CORS Protection Rule List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Action

    Specify the WAF action:

    • alert

    • deny

    • block

    • silent-block

    The default action is block.

    Host Status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
    Host Name

    This option appears if Host Status is enabled.

    Specify the host name.

    Request URL

    Specify the request URL as a regular expression. The maximum length is 8192 characters.

    Allowed Origin

    Specify the name of the Allowed Origin.

    From the drop-down, you may select previously configured Allowed Origin or select Create New to create and configure an Allowed Origin directly. For detailed steps, see Configuring the Allowed Origin List.

    The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

    Insert Allow Credentials

    Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

    Allowed Credentials

    This option appears if Insert Allow Credentials is enabled.

    Select one of the following options:

    • True

    • False

    If the selected Allowed Origin is set to *, then do not select True for Allowed Credentials.

    Insert Max Age

    Enable/disable to specify a maximum time period before the result of the preflight request expires.

    Allowed Maximum Age

    This option appears if Insert Max Age is enabled.

    Specify the maximum time period in seconds. (Range: 0-86400, default: 0).

    Allowed Methods

    Enable/disable to allow FortiADC to use the Methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

    Methods

    This option appears if Allowed Methods is enabled.

    Specify the method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    Allowed Headers

    Enable/disable to allow FortiADC to use the CORS Headers List to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

    Allowed Headers List

    This option appears if Allowed Headers is enabled.

    Specify the name of the CORS Headers List to allow.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring the CORS Headers List.

    FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    Enable/disable to allow FortiADC to expose the specified headers in the CORS Headers List in JavaScript and share with foreign applications. This is disabled by default.

    Exposed Headers List

    This option appears if Exposed Headers is enabled.

    Specify the name of the CORS Headers List to expose.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring the CORS Headers List.

    FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

  7. Click Save.