Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I want to setup an easier dev environment and want to turn off the 'origin' check to be able to use native tokens in the browser. (Self Hosted Kratos)
```{
	"0": {
		"id": 4000001,
		"text": "The HTTP Request Header included the \"Origin\" key, indicating that this request was made as part of an AJAX request in a Browser. The flow however was initiated as an API request. To prevent potential misuse and mitigate several attack vectors including CSRF, the request has been blocked. Please consult the documentation.",
		"type": "error"
	}
}```
Any way to disable this in the configuration? I couldn't see anything in the documentation.

If it’s only for development, you can set the `DEV_DISABLE_API_FLOW_ENFORCEMENT` env variable to disable the check. This only works, if you also supply the `--dev` flag, though.

Thank you that worked :slightly_smiling_face: yes of course it's for dev only.