HTTP headers / request header
Origin: https://app.example.com
The scheme+host+port of the page making the request. The heart of CORS: servers compare it against their allowlist.
Browsers attach it automatically and you cannot fake it from JS; tools like cURL can — which is why "it works in cURL but not the browser" usually means CORS.
The fastest way to see what Origin is actually doing is to send the request and read both sides raw — ReqPad shows auto-generated and custom headers for every request, on all six protocols, with history. Related references: status codes · Authorization · Accept · Accept-Encoding · Accept-Language · If-None-Match · If-Match
Build the request, send it, read raw headers and timing — from your iPhone. Free to start.