Function and usage of get_http_origin() in wordpress


Answers ( 1 )


    The get_http_origin() function in WordPress is a simple yet useful function for obtaining the HTTP Origin of the current request. Here's a detailed explanation and sample usage:


    get_http_origin(): string


    • The function is used to retrieve the HTTP Origin header from the current request. This is particularly useful in contexts where you need to know the origin of the request, such as for security checks, CORS (Cross-Origin Resource Sharing) handling, or validating referrers.

    How It Works:

    1. Checking HTTP Origin Header: The function looks for the 'HTTP_ORIGIN' value in the server's global $_SERVER array. This header is usually sent by browsers as part of the CORS mechanism.

    2. Return Value:

      • If Origin Header Exists: It returns the value of the HTTP Origin header as a string.
      • If No Origin Header: Returns an empty string.


    • Type: string
    • Value: URL of the origin if available, or an empty string if the origin header is not present.

    Sample Usage:

    Scenario: Implementing a Basic CORS Policy

    Suppose you have a WordPress site and you need to implement a basic CORS policy for an API endpoint.

    function handle_api_request() {
        $http_origin = get_http_origin();
        // Allow requests from specific origins
        $allowed_origins = ['', ''];
        if (in_array($http_origin, $allowed_origins)) {
            // Set CORS headers
            header("Access-Control-Allow-Origin: $http_origin");
            // Your API logic goes here
        } else {
            // Handle disallowed origin
            wp_die('Access denied for this origin');
    add_action('rest_api_init', function () {
        register_rest_route('your_namespace/v1', '/your_endpoint', array(
            'methods' => 'GET',
            'callback' => 'handle_api_request',

    In this example:

    • The get_http_origin() function is used to get the origin of the API request.
    • The script checks if the origin is in the list of allowed origins.
    • If allowed, it sets the appropriate CORS headers; if not, it denies access.

    This is a basic example to illustrate the usage of get_http_origin(). In real-world applications, you might need a more sophisticated approach for handling CORS and security.

Leave an answer