Fortinet black logo

User Guide

CORS protection

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:220029
Download PDF

CORS protection

If you have enabled Cross-Origin Resource Sharing (CORS) for your application, the resources of your application can be accessed by other applications using JavaScript within the browser. Use the CORS Protection feature on FortiWeb Cloud so that only legitimate CORS requests from allowed web applications can reach your application.

To create a CORS protection rule

  1. Go to ACCESS RULES > CORS protection.
  2. Enter a Request URL to protect. It can be either:
    • A literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.
      To create and test a regular expression, click the RegEx Test. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Frequently used regular expressions.
  3. Enable Block CORS Traffic to block all the CORS traffic to the above specified URL.
    Disable this option to allow CORS traffic, in the meantime configure the settings below to add restrictions for the CORS traffic.
  4. Click Create New to add Allowed Origins. Configure the following settings.
    Protocol

    Select which type of protocols is allowed for the connections between foreign applications and your application.

    Origin Name

    Enter the foreign application's domain name.
    Wildcards are supported.
    Please note that the Origin Name only matches with domains in the same level, for example, *.com matches with a.com but not a.b.com; while *.b.com matches with a.b.com.

    Port

    Type the TCP port number for the CORS connections. The valid range is from 0 to 65,535.

    0 means the CORS requests can reach at any TCP port number.

    Include Sub Domains

    Enable this option so that the Origin Name matches with domains of its sub level. For example, if this option is enabled, *.com matches with all domain names.

  5. Click OK.
  6. Configure the following settings.
    Allowed Credentials

    Specify whether CORS requests from foreign applications can include user credentials.

    • None: Allow CORS requests with or without user credentials.
    • TRUE: Allow only CORS requests with user credentials.
      The CORS specification requires a specific value for Access-Control-Allow-Origin in the response package if the Access-Control-Allow-Credentials is true.
      If you leave the Allowed Origins list empty, please be careful to select TRUE for Allowed Credentials unless you are sure the back-end server will not set * for Access-Control-Allow-Origin in the response package.
    • FALSE: Allow only CORS requests without user credentials.
    Allowed Maximum Age

    The maximum time period before the result of a preflight request expires. The valid range is from 0 to 86,400.

    0 means using the Allowed Maximum Age configured in the back-end server.

    For example, if the Allowed Maximum Age is set to 3,600 seconds, and the initial preflight request is allowed, then the subsequent CORS requests in the next 3,600 seconds can be sent directly without a precedent preflight request.

    This applies only to the CORS preflighted requests, not the simple requests.

    Allowed Methods

    Click Add to add the allowed methods so that FortiWeb Cloud can verify whether the allowed methods used in the CORS requests are legitimate.

    Allowed Headers

    Click Add to add the allowed headers so that FortiWeb Cloud can verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    Click Add to add the exposed headers so that FortiWeb Cloud can expose the specified headers in JavaScript and share with foreign applications.

  7. Click Save.

CORS protection

If you have enabled Cross-Origin Resource Sharing (CORS) for your application, the resources of your application can be accessed by other applications using JavaScript within the browser. Use the CORS Protection feature on FortiWeb Cloud so that only legitimate CORS requests from allowed web applications can reach your application.

To create a CORS protection rule

  1. Go to ACCESS RULES > CORS protection.
  2. Enter a Request URL to protect. It can be either:
    • A literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.
      To create and test a regular expression, click the RegEx Test. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Frequently used regular expressions.
  3. Enable Block CORS Traffic to block all the CORS traffic to the above specified URL.
    Disable this option to allow CORS traffic, in the meantime configure the settings below to add restrictions for the CORS traffic.
  4. Click Create New to add Allowed Origins. Configure the following settings.
    Protocol

    Select which type of protocols is allowed for the connections between foreign applications and your application.

    Origin Name

    Enter the foreign application's domain name.
    Wildcards are supported.
    Please note that the Origin Name only matches with domains in the same level, for example, *.com matches with a.com but not a.b.com; while *.b.com matches with a.b.com.

    Port

    Type the TCP port number for the CORS connections. The valid range is from 0 to 65,535.

    0 means the CORS requests can reach at any TCP port number.

    Include Sub Domains

    Enable this option so that the Origin Name matches with domains of its sub level. For example, if this option is enabled, *.com matches with all domain names.

  5. Click OK.
  6. Configure the following settings.
    Allowed Credentials

    Specify whether CORS requests from foreign applications can include user credentials.

    • None: Allow CORS requests with or without user credentials.
    • TRUE: Allow only CORS requests with user credentials.
      The CORS specification requires a specific value for Access-Control-Allow-Origin in the response package if the Access-Control-Allow-Credentials is true.
      If you leave the Allowed Origins list empty, please be careful to select TRUE for Allowed Credentials unless you are sure the back-end server will not set * for Access-Control-Allow-Origin in the response package.
    • FALSE: Allow only CORS requests without user credentials.
    Allowed Maximum Age

    The maximum time period before the result of a preflight request expires. The valid range is from 0 to 86,400.

    0 means using the Allowed Maximum Age configured in the back-end server.

    For example, if the Allowed Maximum Age is set to 3,600 seconds, and the initial preflight request is allowed, then the subsequent CORS requests in the next 3,600 seconds can be sent directly without a precedent preflight request.

    This applies only to the CORS preflighted requests, not the simple requests.

    Allowed Methods

    Click Add to add the allowed methods so that FortiWeb Cloud can verify whether the allowed methods used in the CORS requests are legitimate.

    Allowed Headers

    Click Add to add the allowed headers so that FortiWeb Cloud can verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    Click Add to add the exposed headers so that FortiWeb Cloud can expose the specified headers in JavaScript and share with foreign applications.

  7. Click Save.