Cross-Origin Resource Sharing (CORS) is an HTTP header-based security mechanism that enables a web page of one origin (domain, scheme, or port) to access the resources of another origin. For example: Assume www.ap.abc.com and www.ab.xyz.com are two applications on different domains. If the JavaScript from the application www.ap.abc.com wants to refer to the content from www.ab.xyz.com, it can be permitted only if CORS headers are set to allow www.ab.xyz.com.
On the Barracuda WAF, the CORS policy configuration can be offloaded from the server. Administrators can specify the domain(s), method(s), and header(s) that need to be allowed to access the response from the server when a request is sent to the configured URL. To enable CORS Protection, Override CORS must be set to Yes.
Configure CORS Protection
- Go to the BOT MITIGATION > Bot Mitigation page.
- Select Edit under Options next to the URL policy for which you want to configure CORS protection.
- On the Edit URL Policy page, scroll down to the CORS Protection section and do the following:
- Override CORS - Set to Yes to override the CORS response headers that are returned by the back-end server. When set to No, the response is sent to the client without any CORS related changes.
- CORS Allow Origin – Specify the origin that needs to be allowed to access the response from the server.
- CORS Allow Methods – Specify the HTTP method(s) that needs to be allowed to access the response. Use a comma as the delimiter for setting multiple values. For example: GET, POST
- CORS Allow Headers – Specify the header(s) that needs to be allowed to access the response. Use a comma as the delimiter for setting multiple values. For example: X-Custom-Header, Upgrade-Insecure-Requests
- CORS Allow Credentials
- Select True if you want the credentials, like cookies and the authorization header, to be sent with the request.
- Select Do not include to not send the credentials in the request.
- CORS Max Age – Specify the time in seconds for the results of a preflight request to be cached. The results here refer to the content of the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers.
- CORS Expose Headers – Specify the response header(s) that needs to be visible to the client.
- Click Save.