Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LucasG
New Contributor

Created on ‎03-21-2025 01:18 PM

CORS Protection OPTIONS request for API REST

First of all, I'm not a developer, but I have some knowledge of React and Nest.js. I'm developing a React/Nest.js web application to centralize my client's data. Everything works fine except for one issue: when I try to call the Fortigate API to retrieve license data and uptime from my different clients.

 

When my app makes a request to the Fortigate API, it sends an OPTIONS request first, but Fortigate does not seem to allow, recognize, or handle this request properly.

 

One important thing to note: when I click on the request URL directly in my browser, a new tab opens, displaying the JSON data. So, I assume that clicking the link directly triggers a GET request, which works fine.

 

On the Fortigate i allowed "CORS Allow Origin" with * (I know i will change it after)

I would like to know if there is a way to bypass the OPTIONS request and send only a GET request.

 

I dont have the Web Protection menu on my Fortigate V7.4.3, so i can't configure CORS Protection

Configuring allowed origin

Configure the allowed origin to add a list of applications that are allowed to access your application.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select Allowed Origin tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New to create an allowed origin list.
  4. Enter a name for it.
  5. Click OK.
  6. Click Create New to add an application.
  7. Configure these settings.

 

Thanks for your help, guys!

 

My error : Request URL: https://FORTIGATEIP/api/v2/monitor/license/status Request Method: OPTIONS Status Code: 401 Unauthorized Remote Address: FORTIGATEIP Referrer Policy: strict-origin-when-cross-origin content-length: 503 content-security-policy: frame-ancestors 'self' content-type: text/html; charset=iso-8859-1 date: Thu, 20 Mar 2025 01:04:28 GMT x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block :authority: FORTIGATEIP :method: OPTIONS :path: /api/v2/monitor/license/status :scheme: https accept: */* accept-encoding: gzip, deflate, br, zstd accept-language: en-GB,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-US;q=0.6 access-control-request-headers: authorization access-control-request-method: GET origin: http://localhost:3001 priority: u=1, i referer: http://localhost:3001/ sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: cross-site user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

Labels:
1198
0 Kudos
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎03-23-2025 11:51 PM

Hello Lucas,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
1160
LucasG
New Contributor
In response to Anthony_E

Created on ‎03-25-2025 02:11 PM

Hello Anthony,

 

Do I need a particular license to access Web Protection > Access > CORS Protection?

 

I don’t see the Web Protection section on my FortiGate.

 

Thanks for your help.

 

1128
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎03-26-2025 01:02 AM

Hello Lucas,

 

That is a good question :)!

I'm looking for an expert to help you.

 

Regards,

Anthony-Fortinet Community Team.
1109
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎04-01-2025 12:57 AM

Hi Lucas,

 

May I invite you to open a case with our support team?:

https://support.fortinet.com/welcome/#/

 

Regards,

Anthony-Fortinet Community Team.
1055
kunolnu1
New Contributor

Created on ‎04-01-2025 02:40 AM

Option request should not hit an api. Before browser sends an Ajax request it checks if it has permissions to. This is an Option call. Read up on cors request. PS: You can not avoid it. It's part of the browser and not axios or any other library would be able to avoid it.

https://omegle.onl/ vshare
https://omegle.onl/ vshare
1046
0 Kudos
LucasG
New Contributor
In response to kunolnu1

Created on ‎04-01-2025 10:51 AM

Hi,

I understand the OPTIONS request issue. The thing is, when I use Postman to send a GET request to the FortiGate API with my API key, it works fine—I receive a 200 OK response along with the JSON data.

However, when the request comes from my browser, FortiGate rejects the OPTIONS request that is sent before the GET request.

That's the problem...

1017
0 Kudos
LucasG
New Contributor

Created on ‎04-22-2025 07:19 PM

Up!
I'm still unable to query the FortiGate API via Chrome, Firefox, or Edge because of the OPTIONS method...

I can't believe I'm the only one trying to use the FortiGate API from a web app.

885
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.