First of all, I'm not a developer, but I have some knowledge of React and Nest.js. I'm developing a React/Nest.js web application to centralize my client's data. Everything works fine except for one issue: when I try to call the Fortigate API to retrieve license data and uptime from my different clients.
When my app makes a request to the Fortigate API, it sends an OPTIONS request first, but Fortigate does not seem to allow, recognize, or handle this request properly.
One important thing to note: when I click on the request URL directly in my browser, a new tab opens, displaying the JSON data. So, I assume that clicking the link directly triggers a GET request, which works fine.
On the Fortigate i allowed "CORS Allow Origin" with * (I know i will change it after)
I would like to know if there is a way to bypass the OPTIONS request and send only a GET request.
I dont have the Web Protection menu on my Fortigate V7.4.3, so i can't configure CORS Protection
Configure the allowed origin to add a list of applications that are allowed to access your application.
Thanks for your help, guys!
My error : Request URL: https://FORTIGATEIP/api/v2/monitor/license/status Request Method: OPTIONS Status Code: 401 Unauthorized Remote Address: FORTIGATEIP Referrer Policy: strict-origin-when-cross-origin content-length: 503 content-security-policy: frame-ancestors 'self' content-type: text/html; charset=iso-8859-1 date: Thu, 20 Mar 2025 01:04:28 GMT x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block :authority: FORTIGATEIP :method: OPTIONS :path: /api/v2/monitor/license/status :scheme: https accept: */* accept-encoding: gzip, deflate, br, zstd accept-language: en-GB,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-US;q=0.6 access-control-request-headers: authorization access-control-request-method: GET origin: http://localhost:3001 priority: u=1, i referer: http://localhost:3001/ sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: cross-site user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Hello Lucas,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Anthony,
Do I need a particular license to access Web Protection > Access > CORS Protection?
I don’t see the Web Protection section on my FortiGate.
Thanks for your help.
Hello Lucas,
That is a good question :)!
I'm looking for an expert to help you.
Regards,
Hi Lucas,
May I invite you to open a case with our support team?:
https://support.fortinet.com/welcome/#/
Regards,
Option request should not hit an api. Before browser sends an Ajax request it checks if it has permissions to. This is an Option call. Read up on cors request. PS: You can not avoid it. It's part of the browser and not axios or any other library would be able to avoid it.
Hi,
I understand the OPTIONS request issue. The thing is, when I use Postman to send a GET request to the FortiGate API with my API key, it works fine—I receive a 200 OK response along with the JSON data.
However, when the request comes from my browser, FortiGate rejects the OPTIONS request that is sent before the GET request.
That's the problem...
Up!
I'm still unable to query the FortiGate API via Chrome, Firefox, or Edge because of the OPTIONS method...
I can't believe I'm the only one trying to use the FortiGate API from a web app.
User | Count |
---|---|
2515 | |
1347 | |
794 | |
639 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.