I know this question was asked before but I didn't found a feasible solution for my problem, I implemented CORS inside my Django application in order to restrict the domain access and also used CSRF tokens for secure data transfer against unsecured HTTP methods, but still I can make requests to an API via postman or other HTTP services, how can I avoid that?
NOTE: my app doesn't make use of users with oAuth system and more, it makes a POST request to the database in order to get a token (app term specific) regardless of the person who is making the request, but I want only my website to make such request and NO MORE, how to do that?
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
You can think of CORS as a standard that works in the background of your front-end requests that is enforced only by web browsers. So if you want to request with an HTTP client that is not a browser, curl
for instance, you won't go through the CORS validation thing at all.
So bottom line: If you want to prevent other non-browser HTTP clients from making requests to your APIs you need to think of a solution on your own.
for instance:
Create a middleware that checks if incoming requests are originated from a list of trusted origins you have in your app settings.