diff --git a/admin.php b/admin.php
index fbfbbc1..f24c5c0 100644
--- a/admin.php
+++ b/admin.php
@@ -41,7 +41,7 @@ define('ADMIN_USER',       'hyzen');
 $origin          = $_SERVER['HTTP_ORIGIN'] ?? '';
 $allowed_origins = ['https://freedoms4.org', 'https://www.freedoms4.org'];
 
-if ($origin && !in_array($origin, $allowed_origins, true)) {
+if (!$origin || !in_array($origin, $allowed_origins, true)) {
     http_response_code(403);
     header('Content-Type: application/json; charset=utf-8');
     echo json_encode(['success' => false, 'message' => 'Forbidden.']);
diff --git a/auth.php b/auth.php
index f31164e..0fd624c 100644
--- a/auth.php
+++ b/auth.php
@@ -49,7 +49,7 @@ define('MAX_BODY_BYTES',  4096);
 $origin          = $_SERVER['HTTP_ORIGIN'] ?? '';
 $allowed_origins = ['https://freedoms4.org', 'https://www.freedoms4.org'];
 
-if ($origin && !in_array($origin, $allowed_origins, true)) {
+if (!$origin || !in_array($origin, $allowed_origins, true)) {
     http_response_code(403);
     header('Content-Type: application/json; charset=utf-8');
     echo json_encode(['success' => false, 'message' => 'Forbidden.']);
diff --git a/comments.php b/comments.php
index a7643f0..f57b8c4 100644
--- a/comments.php
+++ b/comments.php
@@ -40,7 +40,7 @@ define('MAX_COMMENT_LEN',  2000);
 $origin          = $_SERVER['HTTP_ORIGIN'] ?? '';
 $allowed_origins = ['https://freedoms4.org', 'https://www.freedoms4.org'];
 
-if ($origin && !in_array($origin, $allowed_origins, true)) {
+if (!$origin || !in_array($origin, $allowed_origins, true)) {
     http_response_code(403);
     header('Content-Type: application/json; charset=utf-8');
     echo json_encode(['success' => false, 'message' => 'Forbidden.']);