Origin
Request header CORS

Overview

Origin is the request header that tells the server the origin (scheme + host + port) that initiated the request. Unlike Referer it omits path and query, making it more privacy-friendly, and it is central to CORS and CSRF checks.

Details

Browsers automatically attach Origin to cross-origin requests and to all state-changing requests (like POST). In CORS the server reads it to decide whether to return `Access-Control-Allow-Origin`, and the preflight (OPTIONS) step checks whether the Origin is on the allowlist.

The value carries only the origin, like `https://app.example.com`, with no path. For privacy/security it is sometimes sent as `null` (e.g. documents opened from `file://`, sandboxed iframes, or after certain redirects). Trusting `Access-Control-Allow-Origin: null` is dangerous because attackers can trigger it.

For CSRF defense, Origin is a more trustworthy signal than Referer. Verifying that a state-changing request's Origin matches your own site filters out much cross-origin forgery without exposing the path. Modern browsers reinforce this with Fetch Metadata headers like `Sec-Fetch-Site`.

Syntax

Origin: <scheme>://<host>[:<port>] | null

e.g. Origin: https://app.example.com

Notes

Related headers

Related status codes

Specification