Whitelisting Orshot

Identify and whitelist Orshot traffic using response and request headers

All API responses from Orshot include an X-Orshot-API: true header. You can use this to identify and whitelist Orshot traffic in your infrastructure.

Identification Header#

Every response from the Orshot API includes:

HeaderValue
X-Orshot-APItrue

How to Whitelist#

If your infrastructure uses an anti-bot or WAF system that blocks requests from Orshot, you can whitelist traffic by checking for the X-Orshot-API header.

What Requests Does Orshot Make?#

Orshot may make outbound requests to your infrastructure in these cases:

  • Website screenshots — Orshot visits a URL with a headless browser to capture a screenshot when using the website screenshot template
  • Image fetching — When your template references external image URLs, Orshot fetches them to include in the render
  • Webhook delivery — If you have webhooks configured, Orshot sends POST requests to your endpoint with render results

Common WAF Configuration Examples#

Cloudflare#

Create a WAF custom rule:

  • Field: Header — X-Orshot-API
  • Operator: equals
  • Value: true
  • Action: Allow

AWS WAF#

Add a string match condition:

  • Header: X-Orshot-API
  • Match type: Exactly matches
  • Value: true

Nginx#

if ($http_x_orshot_api = "true") {
    set $allow_bot 1;
}
Previous
Workspace Transfer
Next
Developers

Ready to automate?

Start rendering images, PDFs and videos from your templates in under 2 minutes. Free plan, no credit card.

Get your API key
  • Image, PDF and video generation via API
  • Visual editor with AI and smart layouts
  • Zapier, Make, MCP and 50+ integrations
  • White-label embed for your own app
  • 60 free renders — no credit card required