Require Origin
The Require Origin policy is used to enforce that the client is sending an
origin
header that matches your allow-list specified in the policy options.
This is useful if you want to stop any browser traffic from different domains.
However, it is important to note that it does not guarantee that traffic is only coming from a browser. Somebody could simulate a browser request from a backend server and set any origin they like.
If the incoming origin is missing, or not allowed - a 400 Forbidden Problem
Response will be sent to the client. You can customize the detail
property in
the policy options.
Configuration#
{
"name": "my-require-origin-inbound-policy",
"policyType": "require-origin-inbound",
"handler": {
"export": "RequireOriginInboundPolicy",
"module": "$import(@zuplo/runtime)",
"options": {
"origins": "https://contoso.com, https://sub.contoso.com",
"failureDetail": "Invalid Request - contact support at support@contoso.com"
}
}
}
Options#
name
the name of your policy instance. This is used as a reference in your routes.policyType
the identifier of the policy. This is used by the Zuplo UI. Value should berequire-origin-inbound
.handler/export
The name of the exported type. Value should beRequireOriginInboundPolicy
.handler/module
the module containing the policy. Value should be$import(@zuplo/runtime)
.handler/options
The options for this policy:origins
A comma separated string containing valid origins
failureDetail
The
detail
of the HTTP Problem response, if the origin is missing or disallowed