Verify origin of request

Hello, Everyone
I want to create a firewall rule that checks origin from provided list and block if doesn’t match it. Is it possible?

When you say origin, are you referring to the Origin header sent by browsers? This is certainly possible to do with Firewall Rules.

Can you tell a bit more about what you’re trying to achieve by blocking requests with non-whitelisted Origin headers? Then we’ll be able better help you write the correct rule.

Yes I am referring to Origin header sent by browser.
What I want to achieve is, I have Streaming server running wowza streaming engine manager. So there I can not check that Origin from which current request is coming is allowed or not. So I want to check that on Cloudflare and block request if it does not match.

You can use the following expression to match requests that contain an Origin header not in the allow list.

(not all(http.request.headers["origin"][*] in {

Note, this will only block requests that contain an Origin header. If the request does not have an Origin header at all, this expression will not match.

For that I can add another rule that if header not present than block, right?

But which option to select in field, When incoming requests match… field, this one?

Okay, Done just I needed to write copy paste your expression.
Thanks a lot.

Some legitimate requests will not contain an Origin header, so you probably shouldn’t do that.

1 Like

Be careful that you do not run into a violation of Section 2.8 of the self service terms of service.

Use of the Services for serving video … is prohibited

You could also just use the Origin header to inform the browser that the request is not authorised. Browsers generally expect to see certain headers in the response which correspond to the Origin request header. Unfortunately, products like Wowza have decided to set CORS to be wide open by default, but you can customise them to be more restrictive.

One of the default Wowza response headers is Access-Control-Allow-Origin: *. You can use a HTTP Response Header Transform in Cloudflare to delete this header when the Origin request header does not match one of your own domains, or matches one of your blocked domains (I use the allowlist approach, much easier to maintain. The syntax is very similar to the syntax @albert provide for the WAF.


Thanks for pointing it out and sorry, I wasn’t aware of violation of terms. I will keep in mind

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.