All support articles

How to set the allowed origin (and fix “Origin not allowed”)

Every form endpoint has an allowed origin (your website domain). Forms.fyi uses it to protect you from other sites submitting to your endpoint from a browser.

What “Origin” means

When a browser submits a form or makes a fetch request, it usually includes an HTTP Origin header like:

Origin: https://www.example.com

Forms.fyi compares that value to the allowed origin you set on the form. If they don’t match, the submission is rejected.

Set the allowed origin correctly

  • Include the protocol (https:// vs http://).
  • Match the exact host (for example www.example.com is different from example.com).
  • Ports matter in development (for example http://localhost:3000).
Why you can’t change it later

The allowed origin is a security control. To prevent hijacking or accidental misconfiguration, the dashboard treats it as “set at creation time”.

If your domain changes, create a new form endpoint for the new domain and update your site to use the new endpoint URL.

Fix “Origin not allowed”

This error most commonly happens in these cases:

  • You set the allowed origin to https://example.com but your site is actually served from https://www.example.com.
  • You’re testing on localhost but the allowed origin is your production domain (or vice versa).
  • You’re submitting from a preview domain (like a staging URL) that doesn’t match the form’s allowed origin.