Configuring a CORS Protection Rule
The CORS Protection Rule List defines the actions FortiADC may take to protect the Cross-Origin Resource Sharing using the Allowed Origin and optionally, the CORS Headers.
Configuration overview
To enable the CORS protection functionality, you need to configure the following:
-
Allowed Origin List — see Configuring an Allowed Origin List.
-
CORS Headers List (optional) — see Configuring a CORS Headers List.
-
CORS Protection Rule List.
After you have configured your CORS Protection, you can add it to your WAF profile configuration under the Input Protection section. For more information, see Configuring a WAF Profile.
To create and configure the CORS Protection Rule List:
- Go to Web Application Firewall > CORS Protection.
- Click the CORS Protection tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique CORS Protection name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/
. No space is allowed.Note: Once saved, the name of an CORS Protection cannot be changed.
Status
Enable/disable CORS protection. This is disabled by default.
Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.
- Click Save.
The newly created CORS Protection is listed under the CORS Protection tab. - Locate the newly created CORS Protection on the list and double-click the row or click the (Edit icon).
- Under CORS Protection Rule List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Action Specify the WAF action:
alert
deny
block
silent-block
The default action is block.
Host Status Enable/disable to allow this rule to protect a specific domain name or IP address. This is disabled by default. Host Name This option appears if Host Status is enabled.
Specify the host name.
Request URL
Specify the request URL as a regular expression. The maximum length is 8192 characters.
Apply to All CORS Traffic
Enable/disable to apply the CORS Protection Rule to all CORS traffic. This is disabled by default.
Disable — The CORS Protection Rule will take effect if all CORS protection parameters matches, including Allowed Origin.
Enable — The CORS Protection Rule will take effect if the Request URL and/or the Host Name (if Host Status is enabled) matches. Once Apply to All CORS Traffic is enabled, all options are hidden except Action, Host Status (Host Name), and Request URL.
Allowed Origin
Specify the name of the Allowed Origin.
From the drop-down, you may select previously configured Allowed Origin or select Create New to create and configure an Allowed Origin directly. For detailed steps, see Configuring an Allowed Origin List.
The allowed origin list ensures only the CORS traffic from the specified applications are allowed.
Insert Allow Credentials
Enable/disable to allow whether the CORS requests from foreign applications can include user credentials. This is disabled by default.
Allowed Credentials
This option appears if Insert Allow Credentials is enabled.
Select one of the following options:
True
False
If the selected Allowed Origin is set to
*
, then do not select True for Allowed Credentials.Insert Max Age
Enable/disable to specify a maximum time period before the result of the preflight request expires.
Allowed Maximum Age
This option appears if Insert Max Age is enabled.
Specify the maximum time period in seconds. (Range: 0-86400, default: 0).
Allowed Methods
Enable/disable to allow FortiADC to use the Methods specified to verify whether the methods used in the CORS requests are legitimate. This is disabled by default.
Methods This option appears if Allowed Methods is enabled.
Specify the method(s):
GET
POST
HEAD
TRACE
CONNECT
DELETE
PUT
PATCH
Allowed Headers
Enable/disable to allow FortiADC to use the CORS Headers List to verify whether the headers used in the CORS requests are legitimate. This is disabled by default.
Allowed Headers List
This option appears if Allowed Headers is enabled.
Specify the name of the CORS Headers List to allow.
From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring a CORS Headers List.
FortiADC uses the allowed-headers-list to verify whether the headers used in the CORS requests are legitimate.
Exposed Headers
Enable/disable to allow FortiADC to expose the specified headers in the CORS Headers List in JavaScript and share with foreign applications. This is disabled by default.
Exposed Headers List
This option appears if Exposed Headers is enabled.
Specify the name of the CORS Headers List to expose.
From the drop-down, you may select previously configured CORS Headers. For detailed steps, see Configuring a CORS Protection Rule.
FortiADC will expose the headers in the exposed-headers-list in JavaScript and share with foreign applications.
- Click Save.