> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fingerprint.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Request filtering for websites

To prevent malicious actors from misusing your public API key, you can [filter out unwanted identification requests](/docs/request-filtering). These requests are not billed and will receive an error instead of the identification result.

This page covers filtering requests made from web browsers. You can filter requests by **website origin** or **HTTP headers**. To block requests from mobile apps, see [Request filtering for mobile apps](/docs/mobile-app-filtering).

## Configuration

Inside the Dashboard, navigate to **Security** in the left-hand menu.

### Filter by website origin

You can create a *blocklist* or *allowlist* of specific origins.

* *Allowlist*: If you only need to use your public API key on a few origins, you should allow only those origins and block all others.
* *Blocklist*: If you need to use your public API key on many origins, you can choose to only block specific origins you suspect might be stealing your API key.

<img src="https://mintcdn.com/fingerprint/JTUbc3rQcwtp3hbV/images/5d8aa97a2eb045f5eb351b7d902baef28ad2f46c534d486fd0f8e796cfecd2af-CleanShot_2024-11-06_at_13.12.432x.png?fit=max&auto=format&n=JTUbc3rQcwtp3hbV&q=85&s=1a9499b75893d7dea6cc570e203d1227" alt="Screenshot of how to configure request filtering in the FingerprintJS dashboard" width="3162" height="1292" data-path="images/5d8aa97a2eb045f5eb351b7d902baef28ad2f46c534d486fd0f8e796cfecd2af-CleanShot_2024-11-06_at_13.12.432x.png" />

To filter requests by origin:

1. Navigate to the **[Security](https://dashboard.fingerprint.com/traffic-rules)** > **Web**.
2. Under **Websites**, click **Configure**.
3. To create an *Allowlist*, set **Default behavior** to  `Forbid all besides origins listed below`. Then fill in the **Exceptions** field with your list of allowed origins.
4. Alternatively, to create a *Blocklist*, set **Default behavior** to  `Allow all besides origins listed below`. Then fill in the **Exceptions** field with your list of blocked origins.
5. Click **Save**.

<img src="https://mintcdn.com/fingerprint/JTUbc3rQcwtp3hbV/images/039477816b4223941c3b968bdd8a48f1cae44bfc73542bf2bf84cb6bde744670-CleanShot_2024-11-06_at_13.17.112x.png?fit=max&auto=format&n=JTUbc3rQcwtp3hbV&q=85&s=2feb84027666997e1d6b0340c800132a" alt="Screenshot of the form required to set up an origin allowlist" width="1982" height="1322" data-path="images/039477816b4223941c3b968bdd8a48f1cae44bfc73542bf2bf84cb6bde744670-CleanShot_2024-11-06_at_13.17.112x.png" />

<Note>
  A website origin is defined by the scheme and the domain name of the URL used to access it.\
  You can use the wildcard character (\*) as a subdomain name.
</Note>

### Filter by HTTP header

You can filter out identification requests by HTTP headers. Requests you might want to filter out include server-side rendering applications, crawlers, search indexing bots, or website availability monitors.

To filter requests by HTTP header:

1. Navigate to the **[Security](https://dashboard.fingerprint.com/traffic-rules)** > **Web**.
2. Under **Forbidden HTTP Headers**, click **Add rule**.
3. Fill in the **Header** name.
4. Choose your **Match Rule**.
5. Fill in the **Value**. You can use regular expressions.

<img src="https://mintcdn.com/fingerprint/JTUbc3rQcwtp3hbV/images/43dc9c2df32ce649ea1a03ec3b9c59de2eb0dc2b4d946bbf1581fc341b1601b0-CleanShot_2024-11-06_at_13.18.372x.png?fit=max&auto=format&n=JTUbc3rQcwtp3hbV&q=85&s=38aebf331779ce322f4c00e3ba788969" alt="Screenshot of the form required to create an HTTP header rule" width="1978" height="1610" data-path="images/43dc9c2df32ce649ea1a03ec3b9c59de2eb0dc2b4d946bbf1581fc341b1601b0-CleanShot_2024-11-06_at_13.18.372x.png" />

<Note>
  **Regular expressions in header rules**

  The regular expression (regex) match rule is defined by the [RE2](https://github.com/google/re2) notation. To make sure you are using the correct notation, you can:

  1. Go to [regex101.com](https://regex101.com/).
  2. Select the **Golang Flavor** option on the left.
  3. Debug the regular expression to suit your needs.
  4. Copy the **Regular expression** and paste it into the **Value** field in the rule form as-is.
</Note>

## Limitations

* The maximum number of request filtering rules on the web is defined by [Account limits](/docs/billing#account-limits). If you need more request filtering rules, please reach out to our [support team](https://fingerprint.com/support/).
* It can take up to 5 minutes to start filtering incoming requests after creating or editing an origin or header rule.

## Rule Priority and Examples

If *any* rule matches, the request filtering processing stops, and the result is immediately applied. This has clear interaction when only **Forbidden Origins** rules are set up but might be less clear when both **Allowed Origins** and **Forbidden HTTP Headers** rules are involved. The basic precedence is as follows:

1. **Allowed/Forbidden Origins** rules are checked **first**.
2. **Forbidden HTTP Headers** rules are checked **second**.

Let us illustrate that interaction on a more specific example.

### Rules Configuration

We'll configure two different rules

* one is going to whitelist our own website (`https://example.com`) and
* the second one is going to further prohibit any headers coming from `somesocialnetwork` **Referer**.

<img src="https://mintcdn.com/fingerprint/JTUbc3rQcwtp3hbV/images/60265d96e20e7d76d531f2f14006ed4f463fc4b0759fcd1195999893b8ab4e96-CleanShot_2024-11-06_at_13.23.032x.png?fit=max&auto=format&n=JTUbc3rQcwtp3hbV&q=85&s=ddef2c5e5baa7d66c5beeff508ce8e56" alt="Allowed Origins + Forbidden HTTP Headers rules" width="2634" height="1066" data-path="images/60265d96e20e7d76d531f2f14006ed4f463fc4b0759fcd1195999893b8ab4e96-CleanShot_2024-11-06_at_13.23.032x.png" />

### Result

Because the **Allowed Origins** rule has strict precedence, we will see the following result.

| Origin                | Headers                        | Result      |
| :-------------------- | :----------------------------- | :---------- |
| `https://example.com` | Referer: somesocialnetwork.com | **`ALLOW`** |

As you can see on the example, the request came through because the **Allow Origins** rule was applied first, and that stopped the processing despite having somesocialnetwork.com as a **Referer**.
