How to Protect CORS POSTs using Shape Defense


  • This article will show you how to configure Shape Defense when your application makes a CORS (Cross Origin Resource Sharing) POST.
  • For example, when your home page is and clicking on login makes a POST to Note that since the 2 domains are different, this will require an additional configuration at Silverline.
  • If the next domain isn't configured in Silverline, Shape telemetry isn't passed to the next domain and will flag that request as "Token Missing". 



  • Silverline Shape Defense 




  1. Decoration
    • When user requests a page at, Silverline configuration at this domain will insert the Shape JS into the page.
    • By default, Shape JS uses the FQDN as the protected domain. It does not know about the domain.  This domain needs to be specified in the Additional Protected Endpoint Domain & Path section of JavaScript Insertion configuration, under Shape Defense tab in the the Proxy setup for Screen_Shot_2021-03-01_at_9.54.36_AM.png
    • NOTE :  There is no space between the comma and the next entry. Please do not add any spaces.
    • The Shape JS on now knows about the additional domains and paths it needs to protect.


  2. Telemetry Evaluation
    • In the Shape Defense configuration for, add the protected endpoints under Protected Endpoints section.Screen_Shot_2021-03-01_at_9.57.28_AM.png









Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request