Require Origin Policy

The Require Origin policy is used to enforce that the client is sending an origin header that matches your allow-list specified in the policy options.

This is useful if you want to stop any browser traffic from different domains.

However, it is important to note that it does not guarantee that traffic is only coming from a browser. Somebody could simulate a browser request from a backend server and set any origin they like.

If the incoming origin is missing, or not allowed - a 400 Forbidden Problem Response will be sent to the client. You can customize the detail property in the policy options.


The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-require-origin-inbound-policy", "policyType": "require-origin-inbound", "handler": { "export": "RequireOriginInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "failureDetail": "Your origin is not authorized to make this request.", "origins": "," } } }

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be require-origin-inbound.
  • handler.export <string> - The name of the exported type. Value should be RequireOriginInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • origins <string> (Required) -
    A comma separated string containing valid origins.
  • failureDetail <string> -
    The detail of the HTTP Problem response, if the origin is missing or disallowed.
    Defaults to "Forbidden".

Using the Policy

Read more about how policies work

Bot Detection