# [origins] Problems with referrer/origin validation It's not unusual to use regex for `Referer` or `Origin` headers validation. Often it is needed for setting the `X-Frame-Options` header (ClickJacking protection) or Cross-Origin Resource Sharing. The most common errors with this configuration are: - regex errors; - allow 3rd-party origins. > Notice: by default Gixy doesn't check regexes for 3rd-party origins matching. > You can pass a list of trusted domains by using the option `--origins-domains example.com,foo.bar` ## How can I find it? "Eazy"-breezy: - you have to find all the `if` directives that are in charge of `$http_origin` or `$http_referer` check; - make sure your regexes are a-ok. Misconfiguration example: ```nginx if ($http_origin ~* ((^https://www\.yandex\.ru)|(^https://ya\.ru)/)) { add_header 'Access-Control-Allow-Origin' "$http_origin"; add_header 'Access-Control-Allow-Credentials' 'true'; } ``` TODO(buglloc): cover typical regex-writing problems TODO(buglloc): Regex Ninja? ## What can I do? - fix your regex or toss it away :) - if you use regex validation for `Referer` request header, then, possibly (not 100%), you could use [ngx_http_referer_module](http://nginx.org/en/docs/http/ngx_http_referer_module.htmll); - sometimes is much better to use `map` directive without any regex at all.