diff --git a/app/controllers/api/v1/base_controller.rb b/app/controllers/api/v1/base_controller.rb
index 3ca30168..2d58187c 100644
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@@ -26,6 +26,11 @@ module Api
       def origin
         request.headers['Origin']
       end
+
+      # Los navegadores antiguos no envían Origin
+      def origin?
+        !origin.blank?
+      end
     end
   end
 end
diff --git a/app/controllers/api/v1/protected_controller.rb b/app/controllers/api/v1/protected_controller.rb
index bce9555c..7c453095 100644
--- a/app/controllers/api/v1/protected_controller.rb
+++ b/app/controllers/api/v1/protected_controller.rb
@@ -85,7 +85,7 @@ module Api
       # XXX: Este header se puede falsificar de todas formas pero al
       # menos es una trampa.
       def site_is_origin?
-        return if site.urls(slash: false).any? { |u| origin.to_s.start_with? u }
+        return if origin? && site.urls(slash: false).any? { |u| origin.to_s.start_with? u }
 
         @reason = 'site_is_not_origin'
         head :precondition_required