Hi everyone,

following on the recent announcement of IP restriction for paying customers, we’ve now added another customer only feature: the ability to specify an access-control-allow-origin HTTP header per API key.

Why would you want to do this? This HTTP header is used to manage the negotiation between client and server during AJAX requests in a technical process known as “Cross-origin resource sharing” (commonly abbreviated as CORS). Basically, when a browser tries, via javascript, to execute a request to the OpenCage API, the API responds with the header, which the calling browser uses to determine if this page was on a domain that is allows to accept this content. Basically it is a way to block AJAX requests.

Here’s how you set the value:


Add the full domain (including https://)


Then click “Save” and you are good to go. Our API will then soon begin returning the specified value in the HTTP headers for API requests made with that key. If we look at the headers returned by a valid API request (for example by using $ curl -v) we see:

< HTTP/1.1 200 OK
< date: Fri, 03 Apr 2020 12:16:53 GMT
< server: Apache
< access-control-allow-origin: https://thegeomob.com
< vary: Accept-Encoding
< transfer-encoding: chunked
< content-type: application/json; charset=utf-8
< strict-transport-security: max-age=31536000; includeSubDomains; preload

It’s very important to note that specifying a value for the access-control-allow-origin header does NOT prevent others from abusing your API key, it just makes it harder for them to use the key for AJAX requests.

Setting this header is just one of many steps you should take to protect your API key, please see our full list of recommendations.

You can read more about CORS and this header in the relevant section of our API docs.

CORS is not particularly intuitive, it is easy to confuse it with referer blocking, which it is not. Please get in touch if you are a customer and have questions, we are here to help.

happy geocoding,