Retrieving allowed HTTP origins in WordPress with get_allowed_http_origins

The get_allowed_http_origins function is a part of the WordPress core that retrieves a list of allowed HTTP origins. This function is used within the WordPress environment to manage cross-origin resource sharing (CORS). This means it determines which web resources can be shared among different origins, or domains.

The function works by returning an array of domains that are allowed to request data from the server. This array includes the site URL, the home URL, and any additional URLs specified by the allowed_http_origins filter. The function also includes local and network URLs if the WordPress installation is running in a multisite network.

By enabling the control of cross-origin requests, the get_allowed_http_origins function plays a role in the security of a WordPress site. It helps prevent unauthorized sites from requesting and receiving data. This function also aids in the interoperability of web applications by allowing different domains to share resources.


The get_allowed_http_origins function in WordPress does not accept any parameters.

Return Value

This function returns an array of origin URLs in string format, denoted as string[].


How to Get Allowed HTTP Origins in WordPress

The get_allowed_http_origins() function in WordPress is used to retrieve an array of allowed HTTP origins. This is particularly useful when you are dealing with requests from different origins and you want to ensure that only requests from allowed origins are processed. Here is a basic usage of the function:

$allowed_origins = get_allowed_http_origins();

This code snippet simply retrieves the allowed HTTP origins and prints them out. Note that the get_allowed_http_origins() function does not accept any parameters and returns an array of strings, each string being an allowed origin URL.

How to Check if a Specific Origin is Allowed

Another common usage of the get_allowed_http_origins() function is to check if a specific origin is allowed. Here is how you can do it:

$allowed_origins = get_allowed_http_origins();
$origin_to_check = '';

if (in_array($origin_to_check, $allowed_origins)) {
 echo "<p>The origin is allowed.</p>";
} else {
 echo "<p>The origin is not allowed.</p>";

This code snippet checks if the origin ‘’ is in the list of allowed origins. If it is, it prints “The origin is allowed.” If it’s not, it prints “The origin is not allowed.”

How to Add a New Origin to the List of Allowed Origins

While the get_allowed_http_origins() function itself does not allow you to add new origins, you can use the allowed_http_origins filter to add a new origin to the list. Here is an example:

add_filter('allowed_http_origins', 'add_allowed_origins');
function add_allowed_origins($origins) {
 $origins[] = '';
 return $origins;

This code snippet adds ‘’ to the list of allowed origins. It does this by defining a new function add_allowed_origins() that adds the new origin to the array of origins, and then adds this function as a filter for allowed_http_origins.


The get_allowed_http_origins function in WordPress is a security feature that aids in the prevention of Cross-Site Request Forgery (CSRF) attacks. It works by returning an array of allowed HTTP origins, which are essentially URLs that are permitted to make requests to your website. By limiting the origins that can make requests to your site, you can significantly reduce the risk of CSRF attacks. This function is especially useful when you have AJAX requests in your WordPress site, as it allows you to specify which origins are allowed to make these requests.

Related WordPress Functions