🎉 Requestly joins BrowserStack to build the future of application testing. Read more

HTTP Headers

Origin

HTTP Header

The HTTP Origin request header signifies the origin (scheme, hostname, and port) that triggered the request.

For example, if a user agent requests resources embedded in a webpage or fetched by scripts, the origin of that page may be included in the request.

The Origin header is classified as a Request header. It is typically forbidden in certain request contexts, such as in some cross-origin requests, to enhance security.

Syntax

Syntax

http
Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>

Directives

Directives

null

The origin is considered “privacy sensitive” or is classified as an opaque origin according to the HTML specification. Specific cases of this are detailed in the description section.

<scheme>

The protocol used for communication. Typically, this is the HTTP protocol or its secure counterpart, HTTPS.

<hostname>

The domain name or IP address of the origin server that hosts the resource.

<port> Optional

The port number on which the server is listening for connections. If no port is specified, the default port for the scheme is assumed — for example, port 80 for HTTP.

Example

Description

The Origin header is similar to the Referer header but does not reveal the full path and may sometimes be null. It provides the security context for origin requests, especially when sharing sensitive or unnecessary information should be avoided.
Generally, user agents include the Origin header in:

Cross-origin requests.
Same-origin requests, except for GET or HEAD, such as in POST, OPTIONS, PUT, PATCH, and DELETE requests.

Exceptions include situations like cross-origin GET or HEAD requests made in no-cors mode, where the Origin header will not be added. The value of the Origin header can be null in various cases, including but not limited to:

    • When the scheme is not among http, https, ftp, ws, wss, or gopher (including blob, file, and data).
    • For images and media data from cross-origin sources, such as in <img>, <video>, and <audio> tags.
    • Documents created programmatically using createDocument(), generated from a data: URL, or that lack a creator browsing context.
    • During redirects across different origins.
    • If the iframe has a sandbox attribute that omits allow-same-origin.
    • Network error responses.
    • When Referrer-Policy is set to no-referrer for non-cors request modes, such as basic form submissions.

Examples

http
Origin: https://developer.mozilla.org

http
Origin: https://developer.mozilla.org:80

How to Modify Header using Requestly

Requestly is a powerful Chrome extension that allows you to modify HTTP headers, including the Origin header. This can be very helpful when you want to test how your server handles requests from different origins without changing your actual environment. Steps to Modify the Origin Header:

  1. Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
  2. Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
  3. Add a new header modification:
    • Under “Action”, select “Add” or “Override”.
    • In the “Header Name” field, enter Origin.
    • In the “Header Value” field, enter the desired origin URL (e.g., https://example.com).
  4. Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
  5. Save the rule.

Once set up, Requestly will inject the specified Origin header into all matching requests, helping you test cross-origin behavior and CORS policies on your server without needing to change your client environment. Modifying the Origin header is useful when you want to see how your server responds to requests coming from different websites, especially to check if your security settings like CORS (Cross-Origin Resource Sharing) are working correctly.