The Origin header indicates the origin (scheme, hostname, and port) that initiated the request.
Browsers automatically set this header on cross-origin requests and certain same-origin requests (POST, PUT, DELETE). Servers use it to validate requests and determine which CORS headers to return.
Syntax & Values
Origin: <origin> Origin: null
The Origin header is automatically set by the browser and contains the origin value (e.g., https://example.com) indicating where the request originated from. It can also have the value null for requests from local files (file://), sandboxed iframes, or certain privacy contexts.
Examples
Cross-origin request from a website
The browser automatically sets the Origin header when making a cross-origin request from https://example.com.
Origin: https://example.com
Null origin from local file or sandboxed iframe
The Origin header is set to null for requests from local files (file://), sandboxed iframes, or certain privacy contexts.
Origin: null
Common Errors & Fixes
Origin header missing or doesn't match server expectations
Ensure your server validates the Origin header against an allowlist of trusted domains. Set Access-Control-Allow-Origin to the specific origin or configure your CORS middleware correctly.
Frequently Asked Questions
Do I need to set the Origin header manually?
No, browsers automatically set the Origin header. You cannot manually override it in client-side JavaScript for security reasons.
What does 'Origin: null' mean?
This appears for requests from local files (file://), sandboxed iframes, or certain privacy contexts. Handle with caution as it can have security implications.