Configuring an Allowed Origin List
The Allowed Origin List specifies the allowed domains using the HTTP response header. The header can contain either a * to indicate that all domains are allowed OR a specified domain to indicate the specified allowed domain.
You can create and configure the Allowed Origin List from the Allowed Origin tab or as part of the CORS Protection Rule List.
|
Allowed Origin can only take effect in the CORS Protection rule when the Apply to All CORS Traffic is disabled. In the CORS Protection Rule List configuration, the Apply to All CORS Traffic option is disabled by default, which then requires you to apply an Allowed Origin List for the CORS Protection rule. If the Allowed Origin List is not applied, the CORS Protection rule would not work as the empty list would not match the condition. Enabling the Apply to All CORS Traffic option hides the Allowed Origin option, making it inapplicable to the CORS Protection rule. |
To create and configure the Allowed Origin List from Allowed Origin tab:
- Go to Web Application Firewall > CORS Protection.
- Click the Allowed Origin tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique Allowed Origin name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/. No space is allowed.Note: Once saved, the name of an Allowed Origin cannot be changed.
- Click Save.
- Under Allowed Origin List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Protocol Select which type of protocols are allowed for the connections between foreign applications and your application.
HTTP
HTTPS
ANY
The default is HTTP.
Origin Name Enter the foreign application's domain name or IP address.
Wildcards are supported. (Range: 1-128 characters).
Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80). Include Sub Domains Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.
This is disabled by default.
- Click Save.
To create and configure the Allowed Origin List as part of the CORS Protection Rule List:
- Go to Web Application Firewall > CORS Protection.
- Click the CORS Protection tab.
- Click Create New to display the configuration editor.
Configure the following:Parameter
Description
Name Enter a unique CORS Protection name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/. No space is allowed.Note: Once saved, the name of an CORS Protection cannot be changed.
Status
Enable/disable CORS protection. This is disabled by default.
Note: The CORS Protection Rule List cannot be configured until CORS protection is enabled.
- Click Save.
The newly created CORS Protection is listed under the CORS Protection tab. - Locate the newly created CORS Protection on the list and double-click the row or click the
(Edit icon). - Under CORS Protection Rule List, click Create New to display the configuration editor.
- In the Allow Origin field, select Create New from the drop-down.
The Allowed Origin configuration editor is displayed. - Configure the following:
Parameter
Description
Name Enter a unique Allowed Origin name. Valid characters should match regular expression
/^[A-Za-z0-9.:_-]*$/. No space is allowed.Note: Once saved, the name of an Allowed Origin cannot be changed.
- Click Save.
- Under Allowed Origin List, click Create New to display the configuration editor.
Configure the following:Parameter
Description
Protocol Select which type of protocols are allowed for the connections between foreign applications and your application.
HTTP
HTTPS
ANY
The default is HTTP.
Origin Name Enter the foreign application's domain name or IP address.
Wildcards are supported. (Range: 1-128 characters).
Port Specify the TCP port number for the CORS connections. (Range: 0-65535; default: 80). Include Sub Domains Enable/disable to allow/disallow the Origin Value to match with the domains of its sub level.
This is disabled by default.
- Click Save.