Origin validation is a security check that confirms a web request really came from a trusted browser context, such as the expected site and origin. Web applications use it to distinguish legitimate user actions from requests triggered by another page, tab, or embedded frame. When this check is missing or incorrect, an attacker may trick a victim’s browser into sending authenticated requests that the application should not accept.
This matters because many attacks abuse the browser itself rather than breaking passwords directly. Weak origin validation can lead to cross-site request forgery, session abuse, or unauthorized state changes in apps that handle tokens, account settings, or admin actions. Defenders strengthen it by checking Origin and Referer headers where appropriate, using same-site cookies, requiring CSRF tokens, and rejecting requests from untrusted origins. In practice, origin validation is a key trust-boundary control for any browser-based application.