Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.1.1 CLI Reference
    7.1.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf cors-protection

    config security waf cors-protection

    Use this command to configure Cross-Origin Resource Sharing (CORS) Protection.

    Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.

    However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.

    To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.

    Syntax

    config security waf cors-protection

    edit <name>

    set status {enable|disable}

    config cors-rule-list

    edit 1

    set action {alert|deny|block|silent-deny}

    set host-status {enable|disable}

    set request-url <string>

    set remove-other-headers {enable|disable}

    set allowed-methods {enable|disable}

    set allowed-headers {enable|disable}

    set exposed-headers {enable|disable}

    set allowed-origin <datasource>

    set methods {GET,POST,HEAD,TRACE,CONNECT,DELETE,PUT,PATCH}

    set allowed-headers-list <datasource>

    set exposed-headers-list <datasource>

    set insert-allowed-credentials {enable|disable}

    set allowed-credentials {true|false|none}

    set insert-max-age {enable|disable}

    set allowed-maximum-age <integer>

    next

    end

    next

    end

    status

    Enable/disable CORS protection. This is disabled by default.
    config cors-rule-list
    action

    Specify the WAF action:

    • alert

    • deny

    • block

    • silent-block

    The default action is block.
    host-status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
    request-url

    Specify the request URL as a regular expression. The maximum length is 8192 characters.
    remove-other-headers Enable/disable to remove the other headers that are excluded in the exposed-headers-list. This is disabled by default.
    allowed-methods Enable/disable to allow FortiADC to use the methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

    allowed-headers

    Enable/disable to allow FortiADC to use the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

    exposed-headers

    Enable/disable to allow FortiADC to expose the specified headers in the exposed-headers-list in JavaScript and share with foreign applications. This is disabled by default.

    allowed-origin

    Specify the name of the Allowed Origin List (previously configured through config security waf allowed-origin). The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

    methods

    If allowed-methods is enabled, specify the method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    allowed-headers-list

    If allowed-headers is enabled, specify the name of the CORS Headers List to allow. (This is previously configured through config security waf cors-headers). FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

    exposed-headers-list

    If exposed-headers is enabled, specify the name of the CORS Headers List to expose. (This is previously configured through config security waf cors-headers). FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

    insert-allowed-credentials

    Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

    allowed-credentials

    If insert-allowed-credentials is enabled, select one of the following options:

    • true

    • false

    • none

    The default option is none.

    insert-max-age

    Enable/disable to specify a maximum time period before the result of the preflight request expires.

    allowed-maximum-age

    If insert-max-age is enabled, specify the maximum time period in seconds. (Range: 0-86400, default: 0).

    Example

    config security waf cors-protection

    edit "test"

    set status enable

    config cors-rule-list

    edit 2

    set action block

    set host-status disable

    set request-url /test

    set remove-other-headers disable

    set allowed-methods enable

    set allowed-headers enable

    set exposed-headers enable

    set allowed-origin test

    set methods GET

    set allowed-headers-list test1

    set exposed-headers-list test2

    set insert-allowed-credentials enable

    set allowed-credentials false

    set insert-max-age enable

    set allowed-max-age 0

    next

    end

    next

    end

    Previous
    Next

    config security waf cors-protection

    config security waf cors-protection

    Use this command to configure Cross-Origin Resource Sharing (CORS) Protection.

    Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.

    However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.

    To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.

    Syntax

    config security waf cors-protection

    edit <name>

    set status {enable|disable}

    config cors-rule-list

    edit 1

    set action {alert|deny|block|silent-deny}

    set host-status {enable|disable}

    set request-url <string>

    set remove-other-headers {enable|disable}

    set allowed-methods {enable|disable}

    set allowed-headers {enable|disable}

    set exposed-headers {enable|disable}

    set allowed-origin <datasource>

    set methods {GET,POST,HEAD,TRACE,CONNECT,DELETE,PUT,PATCH}

    set allowed-headers-list <datasource>

    set exposed-headers-list <datasource>

    set insert-allowed-credentials {enable|disable}

    set allowed-credentials {true|false|none}

    set insert-max-age {enable|disable}

    set allowed-maximum-age <integer>

    next

    end

    next

    end

    status

    Enable/disable CORS protection. This is disabled by default.
    config cors-rule-list
    action

    Specify the WAF action:

    • alert

    • deny

    • block

    • silent-block

    The default action is block.
    host-status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
    request-url

    Specify the request URL as a regular expression. The maximum length is 8192 characters.
    remove-other-headers Enable/disable to remove the other headers that are excluded in the exposed-headers-list. This is disabled by default.
    allowed-methods Enable/disable to allow FortiADC to use the methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

    allowed-headers

    Enable/disable to allow FortiADC to use the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

    exposed-headers

    Enable/disable to allow FortiADC to expose the specified headers in the exposed-headers-list in JavaScript and share with foreign applications. This is disabled by default.

    allowed-origin

    Specify the name of the Allowed Origin List (previously configured through config security waf allowed-origin). The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

    methods

    If allowed-methods is enabled, specify the method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    allowed-headers-list

    If allowed-headers is enabled, specify the name of the CORS Headers List to allow. (This is previously configured through config security waf cors-headers). FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

    exposed-headers-list

    If exposed-headers is enabled, specify the name of the CORS Headers List to expose. (This is previously configured through config security waf cors-headers). FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

    insert-allowed-credentials

    Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

    allowed-credentials

    If insert-allowed-credentials is enabled, select one of the following options:

    • true

    • false

    • none

    The default option is none.

    insert-max-age

    Enable/disable to specify a maximum time period before the result of the preflight request expires.

    allowed-maximum-age

    If insert-max-age is enabled, specify the maximum time period in seconds. (Range: 0-86400, default: 0).

    Example

    config security waf cors-protection

    edit "test"

    set status enable

    config cors-rule-list

    edit 2

    set action block

    set host-status disable

    set request-url /test

    set remove-other-headers disable

    set allowed-methods enable

    set allowed-headers enable

    set exposed-headers enable

    set allowed-origin test

    set methods GET

    set allowed-headers-list test1

    set exposed-headers-list test2

    set insert-allowed-credentials enable

    set allowed-credentials false

    set insert-max-age enable

    set allowed-max-age 0

    next

    end

    next

    end

    Previous
    Next