diff --git a/README.md b/README.md
index ce9d67d..0595e8e 100644
--- a/README.md
+++ b/README.md
@@ -22,9 +22,9 @@ Heroku can be found at https://devcenter.heroku.com/articles/nodejs.
 var host = process.env.PORT ? '0.0.0.0' : '127.0.0.1';
 var port = process.env.PORT || 8080;
 
-var cors_proxy = require("cors-anywhere");
+var cors_proxy = require('cors-anywhere');
 cors_proxy.createServer({
-    requireHeader: 'x-requested-with',
+    requireHeader: ['origin', 'x-requested-with'],
     removeHeaders: ['cookie', 'cookie2']
 }).listen(port, host, function() {
     console.log('Running CORS Anywhere on ' + host + ':' + port);
@@ -60,8 +60,8 @@ The module exports two properties: `getHandler` and `createServer`.
 * `createServer(options)` creates a server with the default handler.
 
 The following options are recognized by both methods:
-* string `requireHeader` - If set, the request must include this header or the API will refuse to proxy.
-  Recommended if you want to prevent users from using the proxy for browsing. Example: `X-Requested-With`
+* array of strings `requireHeader` - If set, the request must include this header or the API will refuse to proxy.
+  Recommended if you want to prevent users from using the proxy for normal browsing. Example: `['Origin', 'X-Requested-With']`.
 * array of lowercase strings `removeHeaders` - Exclude certain headers from being included in the request.
   Example: `["cookie"]`
 
diff --git a/demo.html b/demo.html
index 7c69de0..b053041 100644
--- a/demo.html
+++ b/demo.html
@@ -69,7 +69,6 @@ textarea {
   function doCORSRequest(options, redirectCount) {
     var x = new XMLHttpRequest();
     x.open(options.method, cors_api_url + options.url);
-    x.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
   
     x.onload = function() {
       if (x.status === 333) {
diff --git a/lib/cors-anywhere.js b/lib/cors-anywhere.js
index 058f033..1aaf44c 100644
--- a/lib/cors-anywhere.js
+++ b/lib/cors-anywhere.js
@@ -2,7 +2,7 @@
 // Released under the MIT license
 
 'use strict';
-/* jshint node:true, eqnull:true, sub:true */
+/* jshint node:true, eqnull:true, sub:true, quotmark:single */
 
 var httpProxy = require('http-proxy');
 var net = require('net');
@@ -113,7 +113,7 @@ function proxyRequest(req, res, proxy, full_url, proxyOptions) {
 }
 
 
-// Called on every request
+// Request handler factory
 var getHandler = exports.getHandler = function(options) {
   var corsAnywhere = {
     requireHeader: null,      // Require a header to be set?
@@ -126,6 +126,23 @@ var getHandler = exports.getHandler = function(options) {
       }
     });
   }
+  // Convert corsAnywhere.requireHeader to an array of lowercase header names, or null.
+  if (corsAnywhere.requireHeader) {
+    if (typeof corsAnywhere.requireHeader === 'string') {
+      corsAnywhere.requireHeader = [corsAnywhere.requireHeader];
+    } else if (!Array.isArray(corsAnywhere.requireHeader) || corsAnywhere.requireHeader.length === 0) {
+      corsAnywhere.requireHeader = null;
+    } else {
+      corsAnywhere.requireHeader = corsAnywhere.requireHeader.map(function(headerName) {
+        return headerName.toLowerCase();
+      });
+    }
+  }
+  var hasRequiredHeaders = function(headers) {
+    return !corsAnywhere.requireHeader || corsAnywhere.requireHeader.some(function(headerName) {
+      return Object.hasOwnProperty.call(headers, headerName);
+    });
+  };
 
   return function(req, res, proxy) {
     var cors_headers = withCORS({}, req);
@@ -164,9 +181,9 @@ var getHandler = exports.getHandler = function(options) {
         res.writeHead(404, 'Invalid host', cors_headers);
         res.end();
         return;
-      } else if (corsAnywhere.requireHeader != null && req.headers[corsAnywhere.requireHeader.toLowerCase()] == null) {
+      } else if (!hasRequiredHeaders(req.headers)) {
         res.writeHead(400, 'Header required', cors_headers);
-        res.end('Missing ' + corsAnywhere.requireHeader + ' header!');
+        res.end('Missing required request header. Must specify one of: ' + corsAnywhere.requireHeader);
         return;
       } else {
         full_url = match[0].substr(1);
diff --git a/lib/help.txt b/lib/help.txt
index 6f74e35..35a0713 100644
--- a/lib/help.txt
+++ b/lib/help.txt
@@ -20,7 +20,9 @@ the information is available in the status text as "<HTTP STATUS CODE> <LOCATION
 The requested URL is available in the X-Request-URL response header. Non-existence of this
 header implies that the requested URL was not recognized.
 
-This API has one requirement: The X-Requested-With header must be set.
+To prevent the use of the proxy for casual browsing, the API requires either the Origin
+or the X-Requested-With header to be set. To avoid unnecessary preflight (OPTIONS) requests,
+it's recommended to not manually set these headers in your code.
 
 
 Demo        :   https://robwu.nl/cors-anywhere.html
diff --git a/package.json b/package.json
index e326e59..62d8285 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cors-anywhere",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "CORS Anywhere is a reverse proxy which adds CORS headers to the proxied request. Request URL is taken from the path", 
   "license": "MIT",
   "author": "Rob Wu <gwnRob@gmail.com>",
diff --git a/server.js b/server.js
index 9bd9d03..129fdf2 100644
--- a/server.js
+++ b/server.js
@@ -2,9 +2,9 @@
 var host = process.env.PORT ? '0.0.0.0' : '127.0.0.1';
 var port = process.env.PORT || 8080;
 
-var cors_proxy = require("./lib/cors-anywhere");
+var cors_proxy = require('./lib/cors-anywhere');
 cors_proxy.createServer({
-    requireHeader: 'x-requested-with',
+    requireHeader: ['origin', 'x-requested-with'],
     removeHeaders: [
         'cookie',
         'cookie2',