How do origin and referer headers differ and what is the point

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the web-development category.

Last Updated: 2024-11-21

Here's how they differ:

"The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests.

It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path." source

Rationale for distinction

Obviously the full path in the referer is needed to know what resource to serve. But other systems - ones that don't need this info - shouldn't pay attention to this field and instead just do their job with the origin header. Better yet, the referer header shouldn't even be made available to these systems. This ensures better privacy and less leaking of secrets.