Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
LucasG
New Contributor

Created on ‎03-21-2025 01:18 PM

CORS Protection OPTIONS request for API REST

First of all, I'm not a developer, but I have some knowledge of React and Nest.js. I'm developing a React/Nest.js web application to centralize my client's data. Everything works fine except for one issue: when I try to call the Fortigate API to retrieve license data and uptime from my different clients.

 

When my app makes a request to the Fortigate API, it sends an OPTIONS request first, but Fortigate does not seem to allow, recognize, or handle this request properly.

 

One important thing to note: when I click on the request URL directly in my browser, a new tab opens, displaying the JSON data. So, I assume that clicking the link directly triggers a GET request, which works fine.

 

On the Fortigate i allowed "CORS Allow Origin" with * (I know i will change it after)

I would like to know if there is a way to bypass the OPTIONS request and send only a GET request.

 

I dont have the Web Protection menu on my Fortigate V7.4.3, so i can't configure CORS Protection

Configuring allowed origin

Configure the allowed origin to add a list of applications that are allowed to access your application.

  1. Go to Web Protection > Access > CORS Protection.
  2. Select Allowed Origin tab.
    To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.
  3. Click Create New to create an allowed origin list.
  4. Enter a name for it.
  5. Click OK.
  6. Click Create New to add an application.
  7. Configure these settings.

 

Thanks for your help, guys!

 

My error : Request URL: https://FORTIGATEIP/api/v2/monitor/license/status Request Method: OPTIONS Status Code: 401 Unauthorized Remote Address: FORTIGATEIP Referrer Policy: strict-origin-when-cross-origin content-length: 503 content-security-policy: frame-ancestors 'self' content-type: text/html; charset=iso-8859-1 date: Thu, 20 Mar 2025 01:04:28 GMT x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block :authority: FORTIGATEIP :method: OPTIONS :path: /api/v2/monitor/license/status :scheme: https accept: */* accept-encoding: gzip, deflate, br, zstd accept-language: en-GB,en;q=0.9,fr-FR;q=0.8,fr;q=0.7,en-US;q=0.6 access-control-request-headers: authorization access-control-request-method: GET origin: http://localhost:3001 priority: u=1, i referer: http://localhost:3001/ sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: cross-site user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36

Labels:
63
0 Kudos
1 REPLY 1
Anthony_E
Community Manager
Community Manager

Created on ‎03-23-2025 11:51 PM

Hello Lucas,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
25
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.