I think you're confused. The only thing blocked would be client side fetch. You need to find another way to protect everything else.
reply> The only thing blocked would be client side fetch.
replyExactly what I need. My API is public I just don’t want someone other than my own website to consume it. Is it that hard to understand?
That’s… not what cors does? CORS will only block browser-mediated “non-simple” requests, they don’t prevent other systems from accessing it as long as they don’t use a browser (or disable CORS in a headless browser).
replyI'm pretty sure they understand that since they wrote that the resources will need to be proxied.
replyThey just want to prevent hotlinking/leeching.
SOP does not prevent hotlinking in the first place, a hotlink is simple request (the most simple if anything), CORS isn’t going to be in the path at all.
replyHow's it going with AI scrapers for you
replyAI cant scrape my API. There’s no index for them to crawl.
replyDoesn't matter, they just DDoS whatever they find
replyBrute force on common patterns -> DDOS.
reply