Fortinet black logo

CLI Reference

config security waf cors-protection

config security waf cors-protection

Use this command to configure Cross-Origin Resource Sharing (CORS) Protection.

Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.

However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.

To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.

Syntax

config security waf cors-protection

edit <name>

set status {enable|disable}

config cors-rule-list

edit 1

set action {alert|deny|block|silent-deny}

set host-status {enable|disable}

set request-url <string>

set remove-other-headers {enable|disable}

set allowed-methods {enable|disable}

set allowed-headers {enable|disable}

set exposed-headers {enable|disable}

set allowed-origin <datasource>

set methods {GET,POST,HEAD,TRACE,CONNECT,DELETE,PUT,PATCH}

set allowed-headers-list <datasource>

set exposed-headers-list <datasource>

set insert-allowed-credentials {enable|disable}

set allowed-credentials {true|false|none}

set insert-max-age {enable|disable}

set allowed-maximum-age <integer>

next

end

next

end

status

Enable/disable CORS protection. This is disabled by default.

config cors-rule-list
action

Specify the WAF action:

  • alert

  • deny

  • block

  • silent-block

The default action is block.

host-status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
request-url

Specify the request URL as a regular expression. The maximum length is 8192 characters.

remove-other-headers Enable/disable to remove the other headers that are excluded in the exposed-headers-list. This is disabled by default.
allowed-methods Enable/disable to allow FortiADC to use the methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

allowed-headers

Enable/disable to allow FortiADC to use the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

exposed-headers

Enable/disable to allow FortiADC to expose the specified headers in the exposed-headers-list in JavaScript and share with foreign applications. This is disabled by default.

allowed-origin

Specify the name of the Allowed Origin List (previously configured through config security waf allowed-origin). The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

methods

If allowed-methods is enabled, specify the method(s):

  • GET

  • POST

  • HEAD

  • TRACE

  • CONNECT

  • DELETE

  • PUT

  • PATCH

allowed-headers-list

If allowed-headers is enabled, specify the name of the CORS Headers List to allow. (This is previously configured through config security waf cors-headers). FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

exposed-headers-list

If exposed-headers is enabled, specify the name of the CORS Headers List to expose. (This is previously configured through config security waf cors-headers). FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

insert-allowed-credentials

Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

allowed-credentials

If insert-allowed-credentials is enabled, select one of the following options:

  • true

  • false

  • none

The default option is none.

insert-max-age

Enable/disable to specify a maximum time period before the result of the preflight request expires.

allowed-maximum-age

If insert-max-age is enabled, specify the maximum time period in seconds. (Range: 0-86400, default: 0).

Example

config security waf cors-protection

edit "test"

set status enable

config cors-rule-list

edit 2

set action block

set host-status disable

set request-url /test

set remove-other-headers disable

set allowed-methods enable

set allowed-headers enable

set exposed-headers enable

set allowed-origin test

set methods GET

set allowed-headers-list test1

set exposed-headers-list test2

set insert-allowed-credentials enable

set allowed-credentials false

set insert-max-age enable

set allowed-max-age 0

next

end

next

end

config security waf cors-protection

Use this command to configure Cross-Origin Resource Sharing (CORS) Protection.

Cross-Origin Resource Sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain The CORS standard works by adding new HTTP headers that allow servers to describe which origins are permitted to read that information from a web browser. It extends and adds flexibility to the same-origin policy so that websites would not be restricted to accessing resources from the same origin.

However, in the process of enabling information sharing between sites, the significance of CORS configuration may be overlooked and allow for vulnerabilities. One such example is the Cross-Origin Request Site, an OWASP TOP10 Security Misconfiguration vulnerability.

To protect your applications against CORS vulnerabilities, use the CORS Protection feature to ensure that only legitimate CORS requests from allowed web applications can reach your application.

Syntax

config security waf cors-protection

edit <name>

set status {enable|disable}

config cors-rule-list

edit 1

set action {alert|deny|block|silent-deny}

set host-status {enable|disable}

set request-url <string>

set remove-other-headers {enable|disable}

set allowed-methods {enable|disable}

set allowed-headers {enable|disable}

set exposed-headers {enable|disable}

set allowed-origin <datasource>

set methods {GET,POST,HEAD,TRACE,CONNECT,DELETE,PUT,PATCH}

set allowed-headers-list <datasource>

set exposed-headers-list <datasource>

set insert-allowed-credentials {enable|disable}

set allowed-credentials {true|false|none}

set insert-max-age {enable|disable}

set allowed-maximum-age <integer>

next

end

next

end

status

Enable/disable CORS protection. This is disabled by default.

config cors-rule-list
action

Specify the WAF action:

  • alert

  • deny

  • block

  • silent-block

The default action is block.

host-status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
request-url

Specify the request URL as a regular expression. The maximum length is 8192 characters.

remove-other-headers Enable/disable to remove the other headers that are excluded in the exposed-headers-list. This is disabled by default.
allowed-methods Enable/disable to allow FortiADC to use the methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

allowed-headers

Enable/disable to allow FortiADC to use the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

exposed-headers

Enable/disable to allow FortiADC to expose the specified headers in the exposed-headers-list in JavaScript and share with foreign applications. This is disabled by default.

allowed-origin

Specify the name of the Allowed Origin List (previously configured through config security waf allowed-origin). The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

methods

If allowed-methods is enabled, specify the method(s):

  • GET

  • POST

  • HEAD

  • TRACE

  • CONNECT

  • DELETE

  • PUT

  • PATCH

allowed-headers-list

If allowed-headers is enabled, specify the name of the CORS Headers List to allow. (This is previously configured through config security waf cors-headers). FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

exposed-headers-list

If exposed-headers is enabled, specify the name of the CORS Headers List to expose. (This is previously configured through config security waf cors-headers). FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

insert-allowed-credentials

Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

allowed-credentials

If insert-allowed-credentials is enabled, select one of the following options:

  • true

  • false

  • none

The default option is none.

insert-max-age

Enable/disable to specify a maximum time period before the result of the preflight request expires.

allowed-maximum-age

If insert-max-age is enabled, specify the maximum time period in seconds. (Range: 0-86400, default: 0).

Example

config security waf cors-protection

edit "test"

set status enable

config cors-rule-list

edit 2

set action block

set host-status disable

set request-url /test

set remove-other-headers disable

set allowed-methods enable

set allowed-headers enable

set exposed-headers enable

set allowed-origin test

set methods GET

set allowed-headers-list test1

set exposed-headers-list test2

set insert-allowed-credentials enable

set allowed-credentials false

set insert-max-age enable

set allowed-max-age 0

next

end

next

end