Match Origin to Host
To prevent cross-side request forgery, if the Origin header line is present, the HTTP interface must match it to the Host header. If it does not match, the request must be rejected (presumably with error 403, or maybe 401?).
If the header line is not present, then there is nothing to do; this preserves compatibility with non-web based controls.