Cross-Origin Resource Sharing (CORS) protection
If you have enabled Cross-Origin Resource Sharing (CORS) for your application, the resources of your application can be accessed by other applications using JavaScript within the browser. Use the CORS Protection feature on FortiWeb so that only legitimate CORS requests from allowed web applications can reach your application.
There are three tabs on CORS protection page:
Allowed Origin: Configure a list of applications that are allowed to access your application.
CORS Protection Rule: Configure rules to restrict CORS access.
CORS policy: Combine CORS protection rules together into a policy. You can later reference the CORS Protection Policy in an inline protection profile.
Configuring allowed origin
Configure the allowed origin to add a list of applications that are allowed to access your application.
- Go to Web Protection > Access > CORS Protection.
- Select Allowed Origin tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions. - Click Create New to create an allowed origin list.
- Enter a name for it.
- Click OK.
- Click Create New to add an application.
- Configure these settings.
- Click OK.
- Repeat step 6-8 if you want to add more applications to the list.
Protocol |
Select which type of protocols are allowed for the connections between foreign applications and your application. |
Origin Value |
Enter the foreign application's domain name. |
Port |
Type the TCP port number for the CORS connections. The valid range is from 0 to 65,535. 0 means the CORS requests can reach at any TCP port number. |
Include Sub Domains |
Enable this option so that the Origin Value matches with domains of its sub level. For example, if this option is enabled, *.com matches with all domain names. |
Configuring CORS protection rule
Configure CORS Protection Rule to block CORS traffic or add restrictions for the CORS traffic.
- Go to Web Protection > Access > CORS Protection.
- Select the CORS Protection Rule tab.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions. - Click Create New.
- Configure these settings.
- The literal URL, such as
/folder1/index.htm
that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as/folder1/*
or/folder1/*/index.htm
. The URL must begin with a slash (/
). - A regular expression, such as
^/*.php
. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash. - None: Allow CORS requests with or without user credentials.
- TRUE: Allow only CORS requests with user credentials.
The CORS specification requires a specific value forAccess-Control-Allow-Origin
in the response package if theAccess-Control-Allow-Credentials
is true.
If you leave the Allowed Origins unselected, please be careful to select TRUE for Allowed Credentials unless you are sure the back-end server will not set*
forAccess-Control-Allow-Origin
in the response package. - FALSE: Allow only CORS requests without user credentials.
- Click OK.
- The Allowed Method Type, Allowed Header Name, and Exposed Header Name tables appear. Click Create New to add entries in these tables.
Name |
Enter a name for the CORS protection rule. |
Host Status |
Enable if you want this rule to protect a specific domain name or IP address. Must also configure Host if this option is enabled. |
Host |
Select the protected hostnames entry (either a web host name or IP address). This rule will apply to the requests that have the selected hostname in the |
Type |
Indicate whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression |
URL Pattern |
Depending on your selection in Type, enter either: Do not include the domain name, such as To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax. |
Block CORS Traffic |
Enable this option to block all the CORS traffic to the above specified host and/or URL. Disable this option to allow CORS traffic, in the meantime configure the settings below to add restrictions for the CORS traffic. |
Allowed Origins |
Select the allowed origins list so that only the CORS traffic from the specified applications are allowed. With an Allowed Origins list selected, FortiWeb will compare the foreign application's domain name against the list. If it matches, FortiWeb allows the CORS request and adds If you leave the Allowed Origins unselected, the back-end application server, instead of FortiWeb, determines whether to allow CORS request from the foreign application and sets a value for If you have not yet configured an allowed origins list, see Configuring allowed origin |
Allowed Credentials |
Specify whether CORS requests from foreign applications can include user credentials. |
Allowed Maximum Age |
The maximum time period before the result of a preflight request expires. The valid range is from 0 to 86,400. 0 means using the Allowed Maximum Age configured in the back-end server. For example, if the Allowed Maximum Age is set to 3,600 seconds, and the initial preflight request is allowed, then the subsequent CORS requests in the next 3,600 seconds can be sent directly without a precedent preflight request. This applies only to the CORS preflighted requests, not the simple requests. |
Allowed Methods |
With this option enabled, you can later add an Allowed Method list so that FortiWeb can check against the list to verify whether the allow methods used in the CORS requests are legitimate. |
Allowed Headers |
With this option enabled, you can later add an Allowed Headers list so that FortiWeb can check against the list to verify whether the headers used in the CORS requests are legitimate. |
Exposed Headers |
With this option enabled, you can later add an Exposed Headers list to allow FortiWeb to expose the specified headers in JavaScript and share with foreign applications. |
If the CORS protection policy is applied together with an Allow Method policy (Web Protection > Access > Allow Method) in a web protection profile, please make sure the following:
- Enable the OPTIONS method in the Allow Method policy, otherwise the preflighted CORS requests will be blocked.
- The methods in Allowed Method Type table should be a subset of the selected methods in the Allow Method Policy (Web Protection > Access > Allow Method).
Configuring CORS protection policy
Include one or more CORS protection rules in a CORS protection policy so that they can take effect as a whole.
- Go to Web Protection > Access > CORS Protection.
- Select the CORS Protection Policy tab.
- Click Create New.
- Enter a name for this policy.
- Click OK.
- Click Create New.
- Select the CORS protection rule that you would like to include in this policy.
- Click OK.
- Repeat step 6-8 if you want to add more rules in this policy.
To apply the CORS protection policy, select it as the CORS Protection in a protection profile. For details, see Configuring a protection profile for inline topologies .
Attack log messages contain CORS Protection Violation
when this feature detects an unauthorized access attempt.