# Whitelisting Orshot

> Identify and whitelist Orshot traffic using response and request headers

- **URL**: https://orshot.com/docs/misc/whitelisting-orshot

---

All API responses from Orshot include an `X-Orshot-API: true` header. You can use this to identify and whitelist Orshot traffic in your infrastructure.

## Identification Header

Every response from the Orshot API includes:

| Header         | Value  |
| -------------- | ------ |
| `X-Orshot-API` | `true` |

## How to Whitelist

If your infrastructure uses an anti-bot or WAF system that blocks requests from Orshot, you can whitelist traffic by checking for the `X-Orshot-API` header.

## What Requests Does Orshot Make?

Orshot may make outbound requests to your infrastructure in these cases:

- **Website screenshots** — Orshot visits a URL with a headless browser to capture a screenshot when using the website screenshot template
- **Image fetching** — When your template references external image URLs, Orshot fetches them to include in the render
- **Webhook delivery** — If you have webhooks configured, Orshot sends POST requests to your endpoint with render results

## Common WAF Configuration Examples

### Cloudflare

Create a WAF custom rule:

- **Field:** Header — `X-Orshot-API`
- **Operator:** equals
- **Value:** `true`
- **Action:** Allow

### AWS WAF

Add a string match condition:

- **Header:** `X-Orshot-API`
- **Match type:** Exactly matches
- **Value:** `true`

### Nginx```nginx
if ($http_x_orshot_api = "true") {
    set $allow_bot 1;
}
```