HTTP Headers
Origin
The HTTP Origin
request header signifies the origin (scheme, hostname, and port) that triggered the request.
For example, if a user agent requests resources embedded in a webpage or fetched by scripts, the origin of that page may be included in the request.
The Origin
header is classified as a Request header. It is typically forbidden in certain request contexts, such as in some cross-origin requests, to enhance security.
Syntax
Syntax
Origin: null
Origin: <scheme>://<hostname>
Origin: <scheme>://<hostname>:<port>
Directives
Directives
null
The origin is considered “privacy sensitive” or is classified as an opaque origin according to the HTML specification. Specific cases of this are detailed in the description section.
<scheme>
The protocol used for communication. Typically, this is the HTTP protocol or its secure counterpart, HTTPS.
<hostname>
The domain name or IP address of the origin server that hosts the resource.
<port>
OptionalThe port number on which the server is listening for connections. If no port is specified, the default port for the scheme is assumed — for example, port 80 for HTTP.
Example
Description
The Origin
header is similar to the Referer
header but does not reveal the full path and may sometimes be null
. It provides the security context for origin requests, especially when sharing sensitive or unnecessary information should be avoided.
Generally, user agents include the Origin
header in:
• Cross-origin requests.
• Same-origin requests, except for GET
or HEAD
, such as in POST
, OPTIONS
, PUT
, PATCH
, and DELETE
requests.
Exceptions include situations like cross-origin GET
or HEAD
requests made in no-cors mode, where the Origin
header will not be added. The value of the Origin
header can be null
in various cases, including but not limited to:
- • When the scheme is not among
http
, https
, ftp
, ws
, wss
, or gopher
(including blob
, file
, and data
).• For images and media data from cross-origin sources, such as in
<img>
, <video>
, and <audio>
tags.• Documents created programmatically using
createDocument()
, generated from a data:
URL, or that lack a creator browsing context.• During redirects across different origins.
• If the
iframe
has a sandbox attribute that omits allow-same-origin
.• Network error responses.
• When
Referrer-Policy
is set to no-referrer
for non-cors
request modes, such as basic form submissions.Examples
Origin: https://developer.mozilla.org
Origin: https://developer.mozilla.org:80
How to Modify Header using Requestly
- Install and open the Requestly Chrome extension. You can find it on the Chrome Web Store.
- Create a new rule: Click on “Create Rule” and choose “Modify Headers” from the list of available rule types.
- Add a new header modification:
- Under “Action”, select “Add” or “Override”.
- In the “Header Name” field, enter Origin.
- In the “Header Value” field, enter the desired origin URL (e.g., https://example.com).
- Set the URL condition: Specify the URL or pattern where this header change should apply (e.g., https://your-api.com/*).
- Save the rule.
Once set up, Requestly will inject the specified Origin header into all matching requests, helping you test cross-origin behavior and CORS policies on your server without needing to change your client environment. Modifying the Origin header is useful when you want to see how your server responds to requests coming from different websites, especially to check if your security settings like CORS (Cross-Origin Resource Sharing) are working correctly.
Table of Contents
- No headings found.