Origin
Usage
Browsers attach the Origin header to cross-origin requests and same-origin requests triggered by certain methods or APIs. The header identifies where the request originated, giving the server the information needed to enforce access control policies.
The header appears in all CORS requests (including preflights), form submissions using POST, and requests initiated by the Fetch API or XMLHttpRequest. The browser does not include the header in same-origin GET or HEAD navigation requests.
Unlike the Referer header, Origin never includes the path or query string, making the value more privacy-preserving. The Sec-Fetch-Site header provides a complementary signal by classifying the request as same-origin, same-site, cross-site, or none.
scheme://host:port
The full origin consisting of the protocol, hostname, and port. The port is omitted when the protocol uses a default port (80 for HTTP, 443 for HTTPS).
Origin: https://example.com
Origin: https://api.example.re:8443
null
Sent when the origin is privacy-sensitive or opaque. Sandboxed iframes, data: URLs, and redirects across origins produce a null value.
Origin: null
Example
A cross-origin POST from a front-end application includes the Origin header so the server verifies the caller before returning a CORS-enabled response.
Request
POST /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Content-Type: application/json
Response
HTTP/1.1 201 Created
Access-Control-Allow-Origin: https://shop.example.re
Vary: Origin
A preflight OPTIONS request carries the origin alongside the intended method and headers.
Request
OPTIONS /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type