# Allowed URLs

Each Key can be restricted against a number of URLs. Individual Licensee Keys can also have allowed URLs assigned to them.

Allowed URLs works by matching the `Referer` and `Origin` headers of an incoming HTTP request against your list of URLs. If no match has been found then a `4011` reply is returned.

If a matching URL is found, the request is allowed to proceed as normal. The `Access-Control-Allow-Origin` Response header is set as the requester's `Origin` header.

## Allowed URL Rules[​](#allowed-url-rules "Direct link to Allowed URL Rules")

### URLs with format `*.domain.com`[​](#urls-with-format-domaincom "Direct link to urls-with-format-domaincom")

URLs with format `*.domain.com` will be matched on the parent domain and any subdomains.

For instance, `*.domain.com` will match `domain.com` as well as `www.domain.com`, `account.domain.com` etc.

Do not include the path or protocol in this URL format.

### URLs Beginning with `https://...`[​](#urls-beginning-with-https "Direct link to urls-beginning-with-https")

URLs beginning with `http://` or `https://` will look for matches that start with the string.

For instance, `https://www.example.com` will match `https://www.example.com/` as well as `https://www.example.com/signup`.

### All other URLs[​](#all-other-urls "Direct link to All other URLs")

Strings which do not begin with `http[s]://` will look for positive substring matches.

For instance, `.example.com/signup` will match `https://www.example.com/signup` as well as `https://app.example.com/signup`.