Fortinet black logo

Handbook

Home FortiADC 7.4.2 Handbook
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7

Configuring a CORS Protection Rule

Configuring a CORS Protection Rule

The CORS Protection Rule List defines the actions FortiADC may take to protect the Cross-Origin Resource Sharing using the Allowed Origin and optionally, the CORS Headers.

Configuration overview

To enable the CORS protection functionality, you need to configure the following:

After you have configured your CORS Protection, you can add it to your WAF profile configuration under the Input Protection section. For more information, see Configuring a WAF Profile.

To create and configure the CORS Protection Rule List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Protection tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an CORS Protection cannot be changed.

    Status

    Enable/disable CORS protection. This is disabled by default.

    Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

  4. Click Save.
    The newly created CORS Protection is listed under the CORS Protection tab.
  5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
  6. Under CORS Protection Rule List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Action

    Specify the WAF action:

    • alert

    • deny

    • block

    • silent-block

    The default action is block.

    Host StatusEnable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
    Host Name

    This option appears if Host Status is enabled.

    Specify the host name.

    Request URL

    Specify the request URL as a regular expression. The maximum length is 8192 characters.

    Apply to All CORS Traffic

    Enable/disable to apply the CORS Protection Rule to all CORS traffic. This is disabled by default.

    • Disable — The CORS Protection Rule will take effect if all CORS protection parameters matches, including Allowed Origin.

    • Enable — The CORS Protection Rule will take effect if the Request URL and/or the Host Name (if Host Status is enabled) matches. Once Apply to All CORS Traffic is enabled, all options are hidden except Action, Host Status (Host Name), and Request URL.

    Allowed Origin

    Specify the name of the Allowed Origin.

    From the drop-down, you may select previously configured Allowed Origin or select Create New to create and configure an Allowed Origin directly. For detailed steps, see Configuring an Allowed Origin List.

    The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

    Insert Allow Credentials

    Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

    Allowed Credentials

    This option appears if Insert Allow Credentials is enabled.

    Select one of the following options:

    • True

    • False

    If the selected Allowed Origin is set to *, then do not select True for Allowed Credentials.

    Insert Max Age

    Enable/disable to specify a maximum time period before the result of the preflight request expires.

    Allowed Maximum Age

    This option appears if Insert Max Age is enabled.

    Specify the maximum time period in seconds. (Range: 0-86400, default: 0).

    Allowed Methods

    Enable/disable to allow FortiADC to use the Methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

    Methods

    This option appears if Allowed Methods is enabled.

    Specify the method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    Allowed Headers

    Enable/disable to allow FortiADC to use the CORS Headers List to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

    Allowed Headers List

    This option appears if Allowed Headers is enabled.

    Specify the name of the CORS Headers List to allow.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring a CORS Headers List.

    FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    Enable/disable to allow FortiADC to expose the specified headers in the CORS Headers List in JavaScript and share with foreign applications. This is disabled by default.

    Exposed Headers List

    This option appears if Exposed Headers is enabled.

    Specify the name of the CORS Headers List to expose.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring a CORS Protection Rule.

    FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

  7. Click Save.
Previous
Next

Configuring a CORS Protection Rule

The CORS Protection Rule List defines the actions FortiADC may take to protect the Cross-Origin Resource Sharing using the Allowed Origin and optionally, the CORS Headers.

Configuration overview

To enable the CORS protection functionality, you need to configure the following:

After you have configured your CORS Protection, you can add it to your WAF profile configuration under the Input Protection section. For more information, see Configuring a WAF Profile.

To create and configure the CORS Protection Rule List:
  1. Go to Web Application Firewall > CORS Protection.
  2. Click the CORS Protection tab.
  3. Click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Name

    Enter a unique CORS Protection name. Valid characters should match regular expression /^[A-Za-z0-9.:_-]*$/. No space is allowed.

    Note: Once saved, the name of an CORS Protection cannot be changed.

    Status

    Enable/disable CORS protection. This is disabled by default.

    Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.

  4. Click Save.
    The newly created CORS Protection is listed under the CORS Protection tab.
  5. Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
  6. Under CORS Protection Rule List, click Create New to display the configuration editor.
    Configure the following:

    Parameter

    Description

    Action

    Specify the WAF action:

    • alert

    • deny

    • block

    • silent-block

    The default action is block.

    Host StatusEnable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default.
    Host Name

    This option appears if Host Status is enabled.

    Specify the host name.

    Request URL

    Specify the request URL as a regular expression. The maximum length is 8192 characters.

    Apply to All CORS Traffic

    Enable/disable to apply the CORS Protection Rule to all CORS traffic. This is disabled by default.

    • Disable — The CORS Protection Rule will take effect if all CORS protection parameters matches, including Allowed Origin.

    • Enable — The CORS Protection Rule will take effect if the Request URL and/or the Host Name (if Host Status is enabled) matches. Once Apply to All CORS Traffic is enabled, all options are hidden except Action, Host Status (Host Name), and Request URL.

    Allowed Origin

    Specify the name of the Allowed Origin.

    From the drop-down, you may select previously configured Allowed Origin or select Create New to create and configure an Allowed Origin directly. For detailed steps, see Configuring an Allowed Origin List.

    The allowed origin list ensures only the CORS traffic from the specified applications are allowed.

    Insert Allow Credentials

    Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.

    Allowed Credentials

    This option appears if Insert Allow Credentials is enabled.

    Select one of the following options:

    • True

    • False

    If the selected Allowed Origin is set to *, then do not select True for Allowed Credentials.

    Insert Max Age

    Enable/disable to specify a maximum time period before the result of the preflight request expires.

    Allowed Maximum Age

    This option appears if Insert Max Age is enabled.

    Specify the maximum time period in seconds. (Range: 0-86400, default: 0).

    Allowed Methods

    Enable/disable to allow FortiADC to use the Methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.

    Methods

    This option appears if Allowed Methods is enabled.

    Specify the method(s):

    • GET

    • POST

    • HEAD

    • TRACE

    • CONNECT

    • DELETE

    • PUT

    • PATCH

    Allowed Headers

    Enable/disable to allow FortiADC to use the CORS Headers List to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.

    Allowed Headers List

    This option appears if Allowed Headers is enabled.

    Specify the name of the CORS Headers List to allow.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring a CORS Headers List.

    FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    Enable/disable to allow FortiADC to expose the specified headers in the CORS Headers List in JavaScript and share with foreign applications. This is disabled by default.

    Exposed Headers List

    This option appears if Exposed Headers is enabled.

    Specify the name of the CORS Headers List to expose.

    From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring a CORS Protection Rule.

    FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.

  7. Click Save.
Previous
Next