| PixLab  & FACEIO | Knowledge Sharing & Public Forums

Widget Blocked due to Empty Origin. What Should I DO?

Viewed 20258 times

i paste your code and then i click on enroll new user it shows error of Origin or Referer HTTP request header is empty or missing.what should i do

Accepted Solution



Thanks for reaching out, and welcome to the FACEIO support center. To answer your inquiry:

The error "Origin or Referer HTTP request header is empty or missing" typically indicates that the HTTP request made to the FaceIO server lacks the necessary "Origin" or "Referer" headers. These headers are essential for security reasons, as they help the server identify where the request is coming from.

Here's what you can do to resolve the issue:

  1. Disable the Reject Missing or Empty Origin/Referer HTTP Request Headers Security option : When enabled, this option shall reject fio.js instantiation when the Origin (or Referer) HTTP request header is missing from the browser that initiated the request. This is a minimalistic security feature against forged requests. You can further restrict fio.js instantiation with your application Public ID to specific domain names you define. To disable this option (not recommended for obvious security reasons), log in to the FACEIO Console, select your target application from the Application Manager, navigate to the Security Tab, and disable this option.


  2. Check Your Client-Side Code: Ensure that when you're making the request to FaceIO, your client-side code (e.g., JavaScript) is correctly setting the "Origin" or "Referer" headers.

  3. Server Configuration: If you're using a server to make the request, ensure that it's configured to include these headers in the request. Some servers or server-side frameworks might strip these headers for security reasons.

  4. Use HTTPS: Ensure that both your application and the FaceIO server are using HTTPS. Some browsers might not send the "Referer" header when moving from an HTTPS site to an HTTP site.

  5. Browser Extensions: Some browser extensions, especially privacy-focused ones, might strip out the "Referer" header. Try testing your application in an incognito/private browsing window with no extensions enabled to see if this is the cause.

Remember, the "Origin" and "Referer" headers are essential for security, so it's crucial not to bypass them without understanding the implications. Always ensure that your application is secure and follows best practices.

Feel free to reply to this thread if you need further assistance.