This parameter sets a comma-delimited list of external origins (URLs) that are trusted and can access the Planning Analytics database.

Parameter type: optional, dynamic

If the HTTPOriginAllowList parameter is not included in Planning Analytics database configuration, requests from all origins are trusted and granted access to the Planning Analytics database, subject to authentication.

However, when this parameter is set in Planning Analytics database configuration, any incoming request with an Origin header is validated against the URLs specified in HTTPOriginAllowList. An exact match between the Origin header in the incoming request and a URL in HTTPOriginAllowList must be validated before the incoming request is granted access to the Planning Analytics database.

The syntax for an Origin header includes the scheme, hostname, and (optionally) the port that caused the request.

Origin: <scheme>://<hostname>:<port>


The protocol that is used. Usually, it is the HTTP or HTTPS protocol, but ftp, ws, wss, or gopher are also valid.


The domain name or the IP address of the origin server.


The port number on which the server is listening.

Port is optional in an Origin header, but if it is present in the header it must also be included in the URL set in HTTPOriginAllowList for the request to succeed.

Accordingly, the URLs specified in HTTPOriginAllowList use the same syntax of <scheme>://<hostname>:<port>. For example: