Apply CORS – server specifies domains allowed to request your API.
How does it work?
- Client sends special “preflight” request (of OPTIONS method) to server, asking whether domain request comes from is among allowed domains. It also asks whether request method is OKAY (you can allow GET, but deny POST, …) .
- Server determines whether to allow, or deny request. It responds with “OK” response and set special headers that tell what domains/request methods are allowed.
- If client is allowed to query your API, it performs intended request, or bails out…
Clients that do respect CORS (browsers do) will be (or will not be if denied) able to connect. If client ignores CORS (REST clients, CLI tools, …) it will be able to connect no matter what…
Still, require signed requests (authorisation)