Fortinet black logo

Administration Guide

Cross-Origin Resource Sharing (CORS) protection

Cross-Origin Resource Sharing (CORS) protection

If you have enabled Cross-Origin Resource Sharing (CORS) for your application, the resources of your application can be accessed by other applications using JavaScript within the browser. Use the CORS Protection feature on FortiWeb so that only legitimate CORS requests from allowed web applications can reach your application.

There are three tabs on CORS protection page:

Allowed Origin: Configure a list of applications that are allowed to access your application.

CORS Protection Rule: Configure rules to restrict CORS access.

CORS policy: Combine CORS protection rules together into a policy. You can later reference the CORS Protection Policy in an inline protection profile.

Configuring allowed origin

Configure the allowed origin to add a list of applications that are allowed to access your application.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select Allowed Origin tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New to create an allowed origin list.
  4. Enter a name for it.
  5. Click OK.
  6. Click Create New to add an application.
  7. Configure these settings.
  8. Protocol

    Select which type of protocols are allowed for the connections between foreign applications and your application.

    Origin Value

    Enter the foreign application's domain name.
    Wildcards are supported.
    Please note that the Origin Value only matches with domains in the same level, for example, *.com matches with a.com but not a.b.com; while *.b.com matches with a.b.com.

    Port

    Type the TCP port number for the CORS connections. The valid range is from 0 to 65,535.

    0 means the CORS requests can reach at any TCP port number.

    Include Sub Domains

    Enable this option so that the Origin Value matches with domains of its sub level. For example, if this option is enabled, *.com matches with all domain names.

  9. Click OK.
  10. Repeat step 6-8 if you want to add more applications to the list.

Configuring CORS protection rule

Configure CORS Protection Rule to block CORS traffic or add restrictions for the CORS traffic.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select the CORS Protection Rule tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. Configure these settings.
  5. Name

    Enter a name for the CORS protection rule.

    Host Status

    Enable if you want this rule to protect a specific domain name or IP address. Must also configure Host if this option is enabled.

    Host

    Select the protected hostnames entry (either a web host name or IP address). This rule will apply to the requests that have the selected hostname in the host: field.

    Type

    Indicate whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression

    URL Pattern

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Block CORS Traffic

    Enable this option to block all the CORS traffic to the above specified host and/or URL.

    Disable this option to allow CORS traffic, in the meantime configure the settings below to add restrictions for the CORS traffic.

    Allowed Origins

    Select the allowed origins list so that only the CORS traffic from the specified applications are allowed.

    With an Allowed Origins list selected, FortiWeb will compare the foreign application's domain name against the list. If it matches, FortiWeb allows the CORS request and adds Access-Control-Allow-Origin: <the foreign application's domain name> in the response package.

    If you leave the Allowed Origins unselected, the back-end application server, instead of FortiWeb, determines whether to allow CORS request from the foreign application and sets a value for Access-Control-Allow-Origin in the response package. If the CORS rule configured on the back-end server is to allow CORS requests from all applications, the value for Access-Control-Allow-Origin will be *. This will have an influence on the Allowed Credentials option below.

    If you have not yet configured an allowed origins list, see Configuring allowed origin

    Allowed Credentials

    Specify whether CORS requests from foreign applications can include user credentials.

    • None: Allow CORS requests with or without user credentials.
    • TRUE: Allow only CORS requests with user credentials.
      The CORS specification requires a specific value for Access-Control-Allow-Origin in the response package if the Access-Control-Allow-Credentials is true.
      If you leave the Allowed Origins unselected, please be careful to select TRUE for Allowed Credentials unless you are sure the back-end server will not set * for Access-Control-Allow-Origin in the response package.
    • FALSE: Allow only CORS requests without user credentials.
    Allowed Maximum Age

    The maximum time period before the result of a preflight request expires. The valid range is from 0 to 86,400. 0 means using the Allowed Maximum Age configured in the back-end server.

    For example, if the Allowed Maximum Age is set to 3,600 seconds, and the initial preflight request is allowed, then the subsequent CORS requests in the next 3,600 seconds can be sent directly without a precedent preflight request.

    This applies only to the CORS preflighted requests, not the simple requests.

    Allowed Methods

    With this option enabled, you can later add an Allowed Method list so that FortiWeb can check against the list to verify whether the allow methods used in the CORS requests are legitimate.

    Allowed Headers

    With this option enabled, you can later add an Allowed Headers list so that FortiWeb can check against the list to verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    With this option enabled, you can later add an Exposed Headers list to allow FortiWeb to expose the specified headers in JavaScript and share with foreign applications.

  6. Click OK.
  7. The Allowed Method Type, Allowed Header Name, and Exposed Header Name tables appear. Click Create New to add entries in these tables.

If the CORS protection policy is applied together with an Allow Method policy (Web Protection > Access > Allow Method) in a web protection profile, please make sure the following:

  • Enable the OPTIONS method in the Allow Method policy, otherwise the preflighted CORS requests will be blocked.
  • The methods in Allowed Method Type table should be a subset of the selected methods in the Allow Method Policy (Web Protection > Access > Allow Method).

Configuring CORS protection policy

Include one or more CORS protection rules in a CORS protection policy so that they can take effect as a whole.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select the CORS Protection Policy tab.
  3. Click Create New.
  4. Enter a name for this policy.
  5. Click OK.
  6. Click Create New.
  7. Select the CORS protection rule that you would like to include in this policy.
  8. Click OK.
  9. Repeat step 6-8 if you want to add more rules in this policy.
  10. To apply the CORS protection policy, select it as the CORS Protection in a protection profile. For details, see Configuring a protection profile for inline topologies .

    Attack log messages contain CORS Protection Violation when this feature detects an unauthorized access attempt.

Cross-Origin Resource Sharing (CORS) protection

If you have enabled Cross-Origin Resource Sharing (CORS) for your application, the resources of your application can be accessed by other applications using JavaScript within the browser. Use the CORS Protection feature on FortiWeb so that only legitimate CORS requests from allowed web applications can reach your application.

There are three tabs on CORS protection page:

Allowed Origin: Configure a list of applications that are allowed to access your application.

CORS Protection Rule: Configure rules to restrict CORS access.

CORS policy: Combine CORS protection rules together into a policy. You can later reference the CORS Protection Policy in an inline protection profile.

Configuring allowed origin

Configure the allowed origin to add a list of applications that are allowed to access your application.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select Allowed Origin tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New to create an allowed origin list.
  4. Enter a name for it.
  5. Click OK.
  6. Click Create New to add an application.
  7. Configure these settings.
  8. Protocol

    Select which type of protocols are allowed for the connections between foreign applications and your application.

    Origin Value

    Enter the foreign application's domain name.
    Wildcards are supported.
    Please note that the Origin Value only matches with domains in the same level, for example, *.com matches with a.com but not a.b.com; while *.b.com matches with a.b.com.

    Port

    Type the TCP port number for the CORS connections. The valid range is from 0 to 65,535.

    0 means the CORS requests can reach at any TCP port number.

    Include Sub Domains

    Enable this option so that the Origin Value matches with domains of its sub level. For example, if this option is enabled, *.com matches with all domain names.

  9. Click OK.
  10. Repeat step 6-8 if you want to add more applications to the list.

Configuring CORS protection rule

Configure CORS Protection Rule to block CORS traffic or add restrictions for the CORS traffic.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select the CORS Protection Rule tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New.
  4. Configure these settings.
  5. Name

    Enter a name for the CORS protection rule.

    Host Status

    Enable if you want this rule to protect a specific domain name or IP address. Must also configure Host if this option is enabled.

    Host

    Select the protected hostnames entry (either a web host name or IP address). This rule will apply to the requests that have the selected hostname in the host: field.

    Type

    Indicate whether URL Pattern is a Simple String (that is, a literal URL) or a Regular Expression

    URL Pattern

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).
    • A regular expression, such as ^/*.php. This pattern does not require beginning with a slash ( / ); however, it must match URLs that begin with a slash.

    Do not include the domain name, such as www.example.com, which is configured separately in the Host drop-down list.

    To create and test a regular expression, click the >> (test) icon. This opens the Regular Expression Validator window where you can fine-tune the expression. For details, see Regular expression syntax.

    Block CORS Traffic

    Enable this option to block all the CORS traffic to the above specified host and/or URL.

    Disable this option to allow CORS traffic, in the meantime configure the settings below to add restrictions for the CORS traffic.

    Allowed Origins

    Select the allowed origins list so that only the CORS traffic from the specified applications are allowed.

    With an Allowed Origins list selected, FortiWeb will compare the foreign application's domain name against the list. If it matches, FortiWeb allows the CORS request and adds Access-Control-Allow-Origin: <the foreign application's domain name> in the response package.

    If you leave the Allowed Origins unselected, the back-end application server, instead of FortiWeb, determines whether to allow CORS request from the foreign application and sets a value for Access-Control-Allow-Origin in the response package. If the CORS rule configured on the back-end server is to allow CORS requests from all applications, the value for Access-Control-Allow-Origin will be *. This will have an influence on the Allowed Credentials option below.

    If you have not yet configured an allowed origins list, see Configuring allowed origin

    Allowed Credentials

    Specify whether CORS requests from foreign applications can include user credentials.

    • None: Allow CORS requests with or without user credentials.
    • TRUE: Allow only CORS requests with user credentials.
      The CORS specification requires a specific value for Access-Control-Allow-Origin in the response package if the Access-Control-Allow-Credentials is true.
      If you leave the Allowed Origins unselected, please be careful to select TRUE for Allowed Credentials unless you are sure the back-end server will not set * for Access-Control-Allow-Origin in the response package.
    • FALSE: Allow only CORS requests without user credentials.
    Allowed Maximum Age

    The maximum time period before the result of a preflight request expires. The valid range is from 0 to 86,400. 0 means using the Allowed Maximum Age configured in the back-end server.

    For example, if the Allowed Maximum Age is set to 3,600 seconds, and the initial preflight request is allowed, then the subsequent CORS requests in the next 3,600 seconds can be sent directly without a precedent preflight request.

    This applies only to the CORS preflighted requests, not the simple requests.

    Allowed Methods

    With this option enabled, you can later add an Allowed Method list so that FortiWeb can check against the list to verify whether the allow methods used in the CORS requests are legitimate.

    Allowed Headers

    With this option enabled, you can later add an Allowed Headers list so that FortiWeb can check against the list to verify whether the headers used in the CORS requests are legitimate.

    Exposed Headers

    With this option enabled, you can later add an Exposed Headers list to allow FortiWeb to expose the specified headers in JavaScript and share with foreign applications.

  6. Click OK.
  7. The Allowed Method Type, Allowed Header Name, and Exposed Header Name tables appear. Click Create New to add entries in these tables.

If the CORS protection policy is applied together with an Allow Method policy (Web Protection > Access > Allow Method) in a web protection profile, please make sure the following:

  • Enable the OPTIONS method in the Allow Method policy, otherwise the preflighted CORS requests will be blocked.
  • The methods in Allowed Method Type table should be a subset of the selected methods in the Allow Method Policy (Web Protection > Access > Allow Method).

Configuring CORS protection policy

Include one or more CORS protection rules in a CORS protection policy so that they can take effect as a whole.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select the CORS Protection Policy tab.
  3. Click Create New.
  4. Enter a name for this policy.
  5. Click OK.
  6. Click Create New.
  7. Select the CORS protection rule that you would like to include in this policy.
  8. Click OK.
  9. Repeat step 6-8 if you want to add more rules in this policy.
  10. To apply the CORS protection policy, select it as the CORS Protection in a protection profile. For details, see Configuring a protection profile for inline topologies .

    Attack log messages contain CORS Protection Violation when this feature detects an unauthorized access attempt.