Allowed Origins

Allowed origins provide security for upload keys by restricting which domains can use them for image uploads. This prevents unauthorized use of your upload keys from other websites.

How Allowed Origins Work

When creating an upload key, you specify a list of allowed origins. During image uploads, Icefiery validates the request's Origin header against this list to ensure the upload is coming from an authorized domain.

Origin Validation Rules

The validation system uses exact matching with special handling for localhost:

Exact Matching

Origins must match exactly, including protocol, domain, and port:

https://example.com only matches https://example.com
http://localhost:3000 only matches http://localhost:3000
https://app.example.com only matches https://app.example.com

This is consistent with same-origin policy conventions:

Two URLs have the same origin if the protocol, port (if specified), and host are the same for both. MDN

Localhost Special Case

For development convenience, http://localhost:* serves as a wildcard for any localhost port:

http://localhost:* matches http://localhost:3000, http://localhost:8080, etc.
This only works for localhost, not other domains

Allowed Origins ​

How Allowed Origins Work ​

Origin Validation Rules ​

Exact Matching ​

Localhost Special Case ​

Allowed Origins

How Allowed Origins Work

Origin Validation Rules

Exact Matching

Localhost Special Case