Add default Origin header for HTTP requests when testing apps

[rdehnhardt]

Description

When testing applications that use Laravel Sanctum in statefulApi mode, Pest tests fail to authenticate stateful requests because the HTTP client does not include the Origin or Referer headers by default.

This causes Sanctum’s EnsureFrontendRequestsAreStateful middleware to not recognize the request as coming from a “first-party” frontend, since the following check fails:

$domain = $request->headers->get('referer') ?: $request->headers->get('origin');

In a test environment, both values are null, leading to unexpected authentication failures even when the application is correctly configured.

---

Current Workaround

Developers currently need to manually add the header in every test:

$this->withHeader('Origin', 'http://localhost')
    ->postJson(route('create-token'), [...])
    ->assertStatus(200);

Or globally in Pest.php:

pest()->beforeEach(fn() => $this->withHeader('Origin', 'https://localhost'));

While this workaround is effective, it adds unnecessary boilerplate to every Sanctum-based test suite.

---

Proposed Solution

Pest could automatically inject a default Origin header for all HTTP requests made via $this->get(), $this->postJson(), $this->putJson(), etc.

The default value could be configurable via an environment variable, for example:

PEST_HTTP_ORIGIN=http://localhost

If no value is provided, Pest could fall back to http://localhost.

---

Benefits

• Simplifies writing HTTP tests for applications using Laravel Sanctum in stateful mode.
• Reduces boilerplate and improves developer experience.
• Makes Pest’s default behavior more consistent with typical local testing environments.
• Avoids confusion for new users encountering EnsureFrontendRequestsAreStateful issues in tests.

---

Potential Considerations

• The header injection should only happen if the request does not already include an Origin or Referer.

• This feature could be optional and toggled via a configuration flag, such as:

  PEST_HTTP_AUTO_ORIGIN=true

---

Example Behavior

Before:
Sanctum requests fail because no Origin header is present.

After:
Sanctum recognizes the request as coming from http://localhost, and stateful authentication works automatically.

---

Environment

• Pest version: X.Y.Z
• Laravel version: 11.x / 12.x
• PHP version: 8.3
• Testing driver: Laravel HTTP client

---

Summary

This small improvement would make Pest tests work seamlessly with Sanctum’s stateful authentication mode out of the box, reducing friction for developers and improving the overall testing experience.

Thanks for considering this enhancement! 🙌