Skip to main content

Require Origin Policy

The Require Origin policy is used to enforce that the client is sending an origin header that matches your allow-list specified in the policy options.

This is useful if you want to stop any browser traffic from different domains.

However, it is important to note that it does not guarantee that traffic is only coming from a browser. Somebody could simulate a browser request from a backend server and set any origin they like.

If the incoming origin is missing, or not allowed - a 400 Forbidden Problem Response will be sent to the client. You can customize the detail property in the policy options.


"name": "my-require-origin-inbound-policy",
"policyType": "require-origin-inbound",
"handler": {
"export": "RequireOriginInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {
"origins": ",",
"failureDetail": "Invalid Request - contact support at"
  • name the name of your policy instance. This is used as a reference in your routes.
  • policyType the identifier of the policy. This is used by the Zuplo UI. Value should be require-origin-inbound.
  • handler/export The name of the exported type. Value should be RequireOriginInboundPolicy.
  • handler/module the module containing the policy. Value should be $import(@zuplo/runtime).
  • handler/options The options for this policy:
    • origins

      A comma separated string containing valid origins

    • failureDetail

      The detail of the HTTP Problem response, if the origin is missing or disallowed

Read more about how policies work