Origin
The HTTP Origin request header indicates the origin (scheme, host, and port) of the request. Servers use this value to decide whether to permit cross-origin access under the CORS protocol.
Usage
Browsers attach the Origin header to cross-origin requests and same-origin requests triggered by certain methods or APIs. The header identifies where the request originated, giving the server the information needed to enforce access control policies.
The header appears in all CORS requests (including preflights), form submissions using POST, and requests initiated by the Fetch API or XMLHttpRequest. The browser does not include the header in same-origin GET or HEAD navigation requests.
Unlike the Referer header, Origin never
includes the path or query string, making the value more
privacy-preserving. The
Sec-Fetch-Site header provides a
complementary signal by classifying the request as
same-origin, same-site, cross-site, or none.
Values
scheme://host:port
The full origin consisting of the protocol, hostname, and port. The port is omitted when the protocol uses a default port (80 for HTTP, 443 for HTTPS).
Origin: https://app.example.re
Origin: https://api.example.re:8443
null
Sent when the origin is privacy-sensitive or opaque.
Sandboxed iframes, data: URLs, and redirects across
origins produce a null value.
Origin: null
Note
Servers relying on null for access control create
a security gap. Multiple unrelated contexts share
the same null origin, so trusting the value grants
access to all of them.
Example
A cross-origin POST from a front-end application includes the Origin header so the server verifies the caller before returning a CORS-enabled response.
Request
POST /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Content-Type: application/json
Response
HTTP/1.1 201 Created
Access-Control-Allow-Origin: https://shop.example.re
Vary: Origin
A preflight OPTIONS request carries the origin alongside the intended method and headers.
Request
OPTIONS /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type
Takeaway
The Origin header identifies the requesting origin by scheme, host, and port, giving servers the information needed to enforce CORS policies and distinguish cross-origin from same-origin traffic.
See also
- RFC 6454: The Web Origin Concept
- Access-Control-Allow-Origin
- Referer
- Sec-Fetch-Site
- Origins
- CORS
- HTTP headers
