You have an application that uses an HTTP Cloud Function to process user activity from both desktop browser and mobile app clients. This function serves as the endpoint for all metric submissions via HTTP POST.

Due to legacy constraints, the function must be mapped to a separate domain (https://fn.example.com) from the one used by web or mobile clients (https://www.example.com). To ensure only these browser and mobile sessions can submit metrics to the Cloud Function, which HTTP response header should you configure?