Using simple glob patterns

• If origin = * do nothing
• If origin matches https://*.domain.com evaluate and resolve origin on every request using Referer header
• If origin contains command, treat it as list of URIs, evaluate every item in list
• If no origin match, deny request with 400 Bad Request