diff --git a/docroot/modules/custom/foia_api/src/Plugin/rest/resource/WebformSubmissionResource.php b/docroot/modules/custom/foia_api/src/Plugin/rest/resource/WebformSubmissionResource.php
index 4c2faf8ce..c09546f0d 100644
--- a/docroot/modules/custom/foia_api/src/Plugin/rest/resource/WebformSubmissionResource.php
+++ b/docroot/modules/custom/foia_api/src/Plugin/rest/resource/WebformSubmissionResource.php
@@ -128,6 +128,13 @@ public function post($data) {
       $this->logSubmission($statusCode, $message);
       return new ModifiedResourceResponse(['errors' => $message], $statusCode);
     }
+    $websiteRequest = isset($_SERVER["HTTP_X_API_USER_ID"]) && $_SERVER["HTTP_X_API_USER_ID"] === \Drupal::config('foia.secrets')->get('api_user_id');
+    if (!$websiteRequest) {
+      $statusCode = 400;
+      $message = t("To submit FOIA requests using FOIA.gov, you must use the request forms on the site.");
+      $this->logSubmission($statusCode, "api_submission: $message");
+      return new ModifiedResourceResponse(['errors' => $message], $statusCode);
+    }
 
     $webformId = $data['id'] ?? '';
     if (!$webformId) {
diff --git a/docroot/sites/default/services.yml b/docroot/sites/default/services.yml
index 5b91fead1..3b677868e 100644
--- a/docroot/sites/default/services.yml
+++ b/docroot/sites/default/services.yml
@@ -163,7 +163,7 @@ parameters:
     # Specify allowed headers, like 'x-allowed-header'.
     # X-Api-Key is needed for api.data.gov work-around
     # https://github.com/NREL/api-umbrella/issues/391
-    allowedHeaders: ['Accept', 'Content-Type', 'X-Api-Key']
+    allowedHeaders: ['Accept', 'Content-Type', 'X-Api-Key', 'X-Api-User-Id']
     # Specify allowed request methods, specify ['*'] to allow all possible ones.
     allowedMethods: ['GET', 'POST']
     # Configure requests allowed from specific origins.