concept Origin header in category cors
This is an excerpt from Manning's book CORS in Action: Creating and consuming cross-origin APIs.
There are some headers that are set by the browser that can’t be set by the user (see the following sidebar for the complete list). As you’ll see in the next chapter, the browser sets an Origin header on cross-origin requests. If you try to override this header in your code, the browser will ignore your value. This is a security measure that helps prevent user code from overriding trusted header values. The server can trust these values because it knows the user hasn’t accidentally (or maliciously) tainted the value.
The Origin header is central to CORS. The client identifies itself to the server by using the Origin header. Think of it as the client’s calling card.
A CORS request must have an Origin header. There is no way around that. If there is no Origin header it isn’t CORS. With that in mind, let’s revisit the sample app and take a look at the actual Origin header.
The browser adds the Origin header to the HTTP request before sending the request to the server. The browser is solely responsible for setting the Origin header. The Origin header is always present on cross-origin requests, and the client has no way of setting or overriding the value. This is a requirement from a security standpoint: if the client could change the Origin header, they could pretend to be someone they aren’t. Figure 3.17 shows how the browser adds the Origin header before sending the request to the server.
Same-origin requests may sometimes have an Origin header as well. Chrome and Safari include an Origin header on same-origin non-GET requests. In these cases, the Origin header has the same value as the server’s origin value. This is important to keep in mind. When identifying CORS requests, it’s not enough to check that the Origin header exists. You should also check that the origin value is different from your server’s origin value.
In this section you learned what an Origin header is, where you can find it, and how it can be used to identify a CORS request. Next, let’s update the server to respond to the CORS request by using the Access-Control-Allow-Origin response header.
