general
Origin
Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.
Origin: <scheme>://<host>[:<port>] | null Common directives / values
| Directive | Purpose |
|---|---|
| <scheme>://<host>[:<port>] | Serializes exactly the requesting document's origin. |
| null | Opaque origin — sandboxed iframes, data: / file: URLs, cross-origin redirects. |
| omitted | Some same-origin GETs may omit it; do not treat absence as safe by itself. |
Examples
Origin: https://app.example.com Cross-origin fetch from app.example.com to your API — echo this exactly in Access-Control-Allow-Origin.
Origin: null Request from a sandboxed iframe or a redirect through opaque contexts.
POST /transfer HTTP/1.1\nOrigin: https://bank.example.com CSRF defense: reject if Origin isn't in your allow-list.
OPTIONS /api HTTP/1.1\nOrigin: https://app.example.com\nAccess-Control-Request-Method: DELETE CORS preflight — the browser adds Origin automatically.
Gotcha
Origin never carries path or query — do not try to make routing decisions from it. Treat 'Origin: null' with suspicion: it's the browser saying 'I can't tell you the real origin', not proof of same-origin.
Related headers
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Host
Identifies the target host and optional port of the request, so a single IP can serve many virtual hosts. Missing Host in an HTTP/1.1 request MUST yield 400 Bad Request.
Vary
Tells caches which request headers were used for content negotiation, so they know to store and serve separate variants keyed by those headers. Missing or wrong Vary causes users to see cached content meant for someone else (wrong language, encoding, or device).
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
User-Agent
Free-form identifier of the client software, historically used for content negotiation and now largely for analytics and abuse detection. Modern browsers are freezing/reducing this string in favor of the Client Hints (Sec-CH-UA-*) family.