Skip to main content

Allowed URLs

Each Key can be restricted against a number of URLs. Individual Licensee Keys can also have allowed URLs assigned to them.

Allowed URLs works by matching the Referer and Origin headers of an incoming HTTP request against your list of URLs. If no match has been found then a 4011 reply is returned.

If a matching URL is found, the request is allowed to proceed as normal. The Access-Control-Allow-Origin Response header is set as the requester's Origin header.

When to use Allowed URLs

Browser-based widgets only. Address Finder, Postcode Lookup, and Address Lookup run in the browser and call our API directly from client code. Their API keys are visible to anyone viewing your site — Allowed URLs is the security boundary that prevents key reuse from other origins.

Backend integrations do not need Allowed URLs. Server-to-server API calls (cleanse, find, lookup) originate from your backend, not the browser. Restrict access via authentication (API key + user token) and your server's own network security. Enabling Allowed URLs on a backend-only key may block legitimate requests from cloud infrastructure (e.g. Vercel Functions, AWS Lambda) or complicate deployments.

Allowed URL Rules

URLs with format *.domain.com

URLs with format *.domain.com will be matched on the parent domain and any subdomains.

For instance, *.domain.com will match domain.com as well as www.domain.com, account.domain.com etc.

Do not include the path or protocol in this URL format.

URLs Beginning with https://...

URLs beginning with http:// or https:// will look for matches that start with the string.

For instance, https://www.example.com will match https://www.example.com/ as well as https://www.example.com/signup.

All other URLs

Strings which do not begin with http[s]:// will look for positive substring matches.

For instance, .example.com/signup will match https://www.example.com/signup as well as https://app.example.com/signup.