HTTP Headers - Host vs Origin

browser tab http request google.com server

________________ _______________________ _________________
| marcuschiu.com | | Host: google.com | | |
| | ----- |Origin: marcuschiu.com | ----> | |
| | | … | | |
|________________| |_______________________| |_________________|

Host Header	Origin Header
specifies the domain to which the request IS TO BE SENT TO	specifies the domain from which the request ORIGINATED FROM
was introduced so hosting sites could include multiple domains on a single IP address	was introduced to mitigate against Cross-Site Request Forgery (CSRF) vulnerabilities
is ALWAYS included	is SOMETIMES included: all browsers by default included in every cross-origin requests same-origin request: always included on same-origin PUT/POST/DELETE requests not included on same-origin GET requests

Host Header

Origin Header

specifies the domain to which the request IS TO BE SENT TO

specifies the domain from which the request ORIGINATED FROM

was introduced so hosting sites could include multiple domains on a single IP address

was introduced to mitigate against Cross-Site Request Forgery (CSRF) vulnerabilities

is ALWAYS included

is SOMETIMES included:

all browsers by default included in every cross-origin requests
same-origin request:
- always included on same-origin PUT/POST/DELETE requests
- not included on same-origin GET requests

／var／log marcus chiu

Explorer

HTTP - Headers - Host vs Origin

HTTP Headers - Host vs Origin

／var／logmarcus chiu

Explorer

HTTP - Headers - Host vs Origin

HTTP Headers - Host vs Origin

／var／log marcus chiu