general

Origin

Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.

Origin: <scheme>://<host>[:<port>]  |  null

Common directives / values

Directive Purpose
<scheme>://<host>[:<port>] Serializes exactly the requesting document's origin.
null Opaque origin — sandboxed iframes, data: / file: URLs, cross-origin redirects.
omitted Some same-origin GETs may omit it; do not treat absence as safe by itself.

Examples

Origin: https://app.example.com

Cross-origin fetch from app.example.com to your API — echo this exactly in Access-Control-Allow-Origin.

Origin: null

Request from a sandboxed iframe or a redirect through opaque contexts.

POST /transfer HTTP/1.1\nOrigin: https://bank.example.com

CSRF defense: reject if Origin isn't in your allow-list.

OPTIONS /api HTTP/1.1\nOrigin: https://app.example.com\nAccess-Control-Request-Method: DELETE

CORS preflight — the browser adds Origin automatically.

Gotcha

Origin never carries path or query — do not try to make routing decisions from it. Treat 'Origin: null' with suspicion: it's the browser saying 'I can't tell you the real origin', not proof of same-origin.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors