Configuring Cross-Origin Resource Sharing (CORS) protection
Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.
However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.
To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.
Configuration overview
To enable the CORS protection functionality, you need to configure the following:
-
Allowed Origin List — see the section on Configuring the Allowed Origin List.
-
CORS Headers List (optional) — see the section on Configuring the CORS Headers List.
-
CORS Protection Rule List — see the section on Configuring the CORS Protection Rule List.
After you have configured your CORS Protection, you can add it to your WAF profile configuration under the Input Protection section. For more information, see Configuring a WAF Profile.
Configuring the Allowed Origin List
The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a *
to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.
You can create and configure the Allowed Origin List from the Allowed Origin tab or as part of the CORS Protection Rule List.
The CORS Protection configuration requires Allowed Origin to function correctly. If the Allowed Origin List is not applied, the CORS Protection would not work as the empty list would not match the condition. |
To create and configure the Allowed Origin List from Allowed Origin tab:
- Go to Web Application Firewall > CORS Protection.
- Click the Allowed Origin tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique Allowed Origin name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/
. No space is allowed.Note: Once saved, the name of an Allowed Origin cannot be changed.
- Click Save.
The newly created Allowed Origin is listed under the Allowed Origin tab. - Locate the newly created Allowed Origin on the list and double-click the row or click the (Edit icon).
- Under Allowed Origin List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Protocol Select which type of protocols are allowed for the connections between foreign applications and your application.
HTTP
HTTPS
ANY
The default is HTTP.
Origin Name Enter the foreign application's domain name or IP address.
Wildcards are supported. (Range: 1-128 characters).
Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80). Include Sub Domains Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.
This is disabled by default.
- Click Save.
To create and configure the Allowed Origin List as part of the CORS Protection Rule List:
- Go to Web Application Firewall > CORS Protection.
- Click the CORS Protection tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique CORS Protection name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/
. No space is allowed.Note: Once saved, the name of an CORS Protection cannot be changed.
Status
Enable/disable CORS protection. This is disabled by default.
Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.
- Click Save.
The newly created CORS Protection is listed under the CORS Protection tab. - Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
- Under CORS Protection Rule List, click Create New to display the configuration editor.
- In the Allow Origin field, select Create New from the drop-down.
The Allowed Origin configuration editor is displayed. - Configure the following:
Parameter
Description
Name Enter a unique Allowed Origin name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/
. No space is allowed.Note: Once saved, the name of an Allowed Origin cannot be changed.
- Click Save.
- Under Allowed Origin List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Protocol Select which type of protocols are allowed for the connections between foreign applications and your application.
HTTP
HTTPS
ANY
The default is HTTP.
Origin Name Enter the foreign application's domain name or IP address.
Wildcards are supported. (Range: 1-128 characters).
Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80). Include Sub Domains Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.
This is disabled by default.
- Click Save.
Configuring the CORS Headers List
The CORS Headers List specifies the HTTP headers that may be "allowed" or "exposed" in the CORS Protection Rule List. If allowed, FortiADC will use the headers list to verify whether the headers used in the CORS requests are legitimate. If exposed, FortiADC will expose the headers in the headers list in JavaScript and share with foreign applications.
The CORS Headers List can be optional as it is only required if Allowed Headers or Exposed Headers is enabled in the CORS Protection Rule List.
To create and configure the CORS Headers List:
- Go to Web Application Firewall > CORS Protection.
- Click the CORS Headers tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique CORS Headers name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/
. No space is allowed.Note: Once saved, the name of a CORS Headers cannot be changed.
- Click Save.
The newly created CORS Headers is listed under the CORS Headers tab. - Locate the newly created CORS Headers on the list and double-click the row or click the (Edit icon).
- Under CORS Headers List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Header Specify the HTTP header as a string. (Range: 1-63 characters).
- Click Save.
Configuring the CORS Protection Rule List
The CORS Protection Rule List defines the actions FortiADC may take to protect the Cross-Origin Resource Sharing using the Allowed Origin and optionally, the CORS Headers.
To create and configure the CORS Protection Rule List:
- Go to Web Application Firewall > CORS Protection.
- Click the CORS Protection tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique CORS Protection name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/
. No space is allowed.Note: Once saved, the name of an CORS Protection cannot be changed.
Status
Enable/disable CORS protection. This is disabled by default.
Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.
- Click Save.
The newly created CORS Protection is listed under the CORS Protection tab. - Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
- Under CORS Protection Rule List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Action Specify the WAF action:
alert
deny
block
silent-block
The default action is block.
Host Status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default. Host Name This option appears if Host Status is enabled.
Specify the host name.
Request URL
Specify the request URL as a regular expression. The maximum length is 8192 characters.
Allowed Origin
Specify the name of the Allowed Origin.
From the drop-down, you may select previously configured Allowed Origin or select Create New to create and configure an Allowed Origin directly. For detailed steps, see Configuring the Allowed Origin List.
The allowed origin list ensures only the CORS traffic from the specified applications are allowed.
Insert Allow Credentials
Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.
Allowed Credentials
This option appears if Insert Allow Credentials is enabled.
Select one of the following options:
True
False
If the selected Allowed Origin is set to
*
, then do not select True for Allowed Credentials.Insert Max Age
Enable/disable to specify a maximum time period before the result of the preflight request expires.
Allowed Maximum Age
This option appears if Insert Max Age is enabled.
Specify the maximum time period in seconds. (Range: 0-86400, default: 0).
Allowed Methods
Enable/disable to allow FortiADC to use the Methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.
Methods This option appears if Allowed Methods is enabled.
Specify the method(s):
GET
POST
HEAD
TRACE
CONNECT
DELETE
PUT
PATCH
Allowed Headers
Enable/disable to allow FortiADC to use the CORS Headers List to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.
Allowed Headers List
This option appears if Allowed Headers is enabled.
Specify the name of the CORS Headers List to allow.
From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring the CORS Headers List.
FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.
Exposed Headers
Enable/disable to allow FortiADC to expose the specified headers in the CORS Headers List in JavaScript and share with foreign applications. This is disabled by default.
Exposed Headers List
This option appears if Exposed Headers is enabled.
Specify the name of the CORS Headers List to expose.
From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring the CORS Headers List.
FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.
- Click Save.