The Origin header is a vital security feature in HTTP requests. It conveys the essential information about the source (origin) of a request to the server that receives it. This origin is comprised of three parts:
- Scheme: This indicates the protocol used, like HTTP or HTTPS.
- Hostname: This is the domain name of the website making the request (e.g., "www.example.com").
- Port (optional): If a non-standard port is used (usually 80 for HTTP and 443 for HTTPS), it's also included in the Origin header.
Key Points:
- Origin vs. Referer: The Origin header differs from the Referer header in a crucial way. While the Referer includes the entire URL with the path, the Origin omits the path information. This is done to prevent sensitive data, potentially within the path, from being revealed.
- Browser-controlled: The browser automatically adds the Origin header to specific requests. Users cannot modify it directly.
- When is it Sent? The Origin header is primarily included in two scenarios:
- Cross-Origin Requests: Whenever a web page requests resources (scripts, images, etc.) from a different domain than its own, the Origin header is mandatory. This helps enforce security restrictions between domains (covered in CORS).
- Same-Origin Requests (Modern Browsers): In some modern browsers, the Origin header might also be included in same-origin requests, particularly for methods like PUT, POST, and DELETE.
Role in CORS (Cross-Origin Resource Sharing)
The Origin header plays a central role in CORS, a security mechanism that governs how browsers handle requests between different domains. By including the Origin header, the browser informs the server about the request's origin. The server can then check its CORS configuration (using Access-Control-Allow-Origin header) to determine whether to allow or restrict the request based on its origin.
See
HTTP协议中的“X-Real-IP”头字段的作用是什么?底层原理是什么?-阿里云开发者社区
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin
http - X-Original-For header: what's its purpose? - Stack Overflow