HTTPQUERY
中文

Origin

Usage

Browsers attach the Origin header to cross-origin requests and same-origin requests triggered by certain methods or APIs. The header identifies where the request originated, giving the server the information needed to enforce access control policies.

The header appears in all CORS requests (including preflights), form submissions using POST, and requests initiated by the Fetch API or XMLHttpRequest. The browser does not include the header in same-origin GET or HEAD navigation requests.

Unlike the Referer header, Origin never includes the path or query string, making the value more privacy-preserving. The Sec-Fetch-Site header provides a complementary signal by classifying the request as same-origin, same-site, cross-site, or none.

scheme://host:port

The full origin consisting of the protocol, hostname, and port. The port is omitted when the protocol uses a default port (80 for HTTP, 443 for HTTPS).

Origin: https://example.com
Origin: https://api.example.re:8443

null

Sent when the origin is privacy-sensitive or opaque. Sandboxed iframes, data: URLs, and redirects across origins produce a null value.

Origin: null

Example

A cross-origin POST from a front-end application includes the Origin header so the server verifies the caller before returning a CORS-enabled response.

Request

POST /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Content-Type: application/json

Response

HTTP/1.1 201 Created
Access-Control-Allow-Origin: https://shop.example.re
Vary: Origin

A preflight OPTIONS request carries the origin alongside the intended method and headers.

Request

OPTIONS /api/orders HTTP/1.1
Host: api.example.re
Origin: https://shop.example.re
Access-Control-Request-Method: POST
Access-Control-Request-Headers: content-type