Origin

The Origin HyperText Transfer Protocol (HTTP) request header indicates the origin of the request. This header does not include any path information. It is similar to the Referer header, but unlike that header, the Origin header does not disclose the whole path.

Note: Basically, browsers add the Origin request header to:

all cross origin requests.
same-origin requests except for GET or HEAD requests (i.e. they are added to same-origin POST, OPTIONS, PUT, PATCH, and DELETE requests).

There are some exceptions to the above rules; for example, if a cross-origin GET or HEAD request is made in [no-cors mode], (/en-US/docs/Web/API/Request/mode#value) the Origin header will not be added.

Header type	Request header
Forbidden header name	yes

Syntax

Origin: null
Origin: <scheme> "://" <hostname> [ ":" <port> ]

Directives

<scheme>: The protocol that is used. Usually, it is the HTTP protocol or its secured version, HTTPS.
<hostname>: The domain name of the server (for virtual hosting) or the IP.
<port> Optional: TCP port number on which the server is listening. If no port is given, the default port for the service requested (e.g., "80" for an HTTP URL) is implied.

Examples

Origin: https://developer.mozilla.org

Specifications

Specification
The Web Origin Concept # section-7
Fetch Standard (Fetch) # origin-header

Browser compatibility

	Desktop						Mobile
	Chrome	Edge	Firefox	Internet Explorer	Opera	Safari	WebView Android	Chrome Android	Firefox for Android	Opera Android	Safari on IOS	Samsung Internet
`Origin`	Yes	12 Before Edge 79, this header was not sent with sent with `POST` requests.	70 59 Sent with non-CORS requests since Fx59, unless they are `GET` or `HEAD`. Yes Not sent with `POST` requests until Firefox 58, see bug 446344.	Yes	Yes	Yes	Yes	Yes	59 Sent with non-CORS requests since Fx59, unless they are `GET` or `HEAD`. Yes Not sent with `POST` requests until Firefox 58, see bug 446344.	Yes	Yes	Yes

Origin

Origin

Syntax

Directives

Examples

Specifications

Browser compatibility

See also