diff --git a/functions/api/reports/submit.ts b/functions/api/reports/submit.ts
index 7e901a5..eefb907 100644
--- a/functions/api/reports/submit.ts
+++ b/functions/api/reports/submit.ts
@@ -37,6 +37,9 @@ export async function onRequestPost(context: RequestContext) {
     if (!success) return errorResponse("Captcha test failed", 403);
   }
 
+  const origin = context.request.headers.get("Origin");
+  if (!origin) return errorResponse("No origin header", 400);
+
   if (bypass && !(context.data.current_user?.permissions & (1 << 5)))
     return errorResponse("Bypass directive cannot be used", 403);
 
@@ -178,6 +181,7 @@ export async function onRequestPost(context: RequestContext) {
         `t/${fileUploadKey}`,
         file.size,
         fileExten,
+        origin,
       ),
     );
   }
diff --git a/functions/gcloud.ts b/functions/gcloud.ts
index b10284c..96e3110 100644
--- a/functions/gcloud.ts
+++ b/functions/gcloud.ts
@@ -17,6 +17,7 @@ export async function GenerateUploadURL(
   path: string,
   size: number,
   fileExt: string,
+  origin: string,
 ): Promise<string> {
   const accessToken = await GetAccessToken(env);
   const contentTypes: { [k: string]: string } = {
@@ -43,10 +44,7 @@ export async function GenerateUploadURL(
     {
       headers: {
         authorization: `Bearer ${accessToken}`,
-        origin:
-          typeof env.LOCAL === "undefined"
-            ? "https://carcrushers.cc"
-            : "http://localhost:8788",
+        origin,
         "x-upload-content-type": contentTypes[fileExt],
         "x-upload-content-length": size.toString(),
       },