Whitelisting Orshot

Identify and whitelist Orshot traffic using response and request headers

All API responses from Orshot include an X-Orshot-API: true header. You can use this to identify and whitelist Orshot traffic in your infrastructure.

Identification Header

Every response from the Orshot API includes:

HeaderValue
X-Orshot-APItrue

How to Whitelist

If your infrastructure uses an anti-bot or WAF system that blocks requests from Orshot, you can whitelist traffic by checking for the X-Orshot-API header.

What Requests Does Orshot Make?

Orshot may make outbound requests to your infrastructure in these cases:

  • Website screenshots — Orshot visits a URL with a headless browser to capture a screenshot when using the website screenshot template
  • Image fetching — When your template references external image URLs, Orshot fetches them to include in the render
  • Webhook delivery — If you have webhooks configured, Orshot sends POST requests to your endpoint with render results

Common WAF Configuration Examples

Cloudflare

Create a WAF custom rule:

  • Field: Header — X-Orshot-API
  • Operator: equals
  • Value: true
  • Action: Allow

AWS WAF

Add a string match condition:

  • Header: X-Orshot-API
  • Match type: Exactly matches
  • Value: true

Nginx

if ($http_x_orshot_api = "true") {
    set $allow_bot 1;
}

All Set? Let's Start Automating

Get Your API Key →
  • Image, PDF and Video Generation via API
  • Canva like editor with AI and smart features
  • No-Code Integrations (Zapier, Make, n8n etc.)
  • Embed Orshot Studio in your app
  • Start Free. No credit card required. Cancel anytime.