Require Origin Policy
The Require Origin policy is used to enforce that the client is sending an
origin
header that matches your allow-list specified in the policy options.
This is useful if you want to stop any browser traffic from different domains.
However, it is important to note that it does not guarantee that traffic is only coming from a browser. Somebody could simulate a browser request from a backend server and set any origin they like.
If the incoming origin is missing, or not allowed - a 400 Forbidden Problem
Response will be sent to the client. You can customize the detail
property in
the policy options.
Configuration
The configuration shows how to configure the policy in the 'policies.json' document.
{ "name": "my-require-origin-inbound-policy", "policyType": "require-origin-inbound", "handler": { "export": "RequireOriginInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "failureDetail": "Your origin is not authorized to make this request.", "origins": "https://example.com, https://example.org" } } }json
Policy Configuration
name
<string>
- The name of your policy instance. This is used as a reference in your routes.policyType
<string>
- The identifier of the policy. This is used by the Zuplo UI. Value should berequire-origin-inbound
.handler.export
<string>
- The name of the exported type. Value should beRequireOriginInboundPolicy
.handler.module
<string>
- The module containing the policy. Value should be$import(@zuplo/runtime)
.handler.options
<object>
- The options for this policy. See Policy Options below.
Policy Options
The options for this policy are specified below. All properties are optional unless specifically marked as required.
origins
(required)<string>
- A comma separated string containing valid origins.failureDetail
<string>
- Thedetail
of the HTTP Problem response, if the origin is missing or disallowed. Defaults to"Forbidden"
.
Using the Policy
Read more about how policies work