How Can I Restrict API Endpoint Access to a Specific Domain?

The Same Origin Policy (SOP) helps ensure that your API isn't accessible to other origins in the browser, and CORS allows you to specify which ones you want to permit. However, since it’s the client sending those requests, any user-controlled client can send whatever data they want. Implementing authentication and rate limiting is the best way to address these concerns.

You might want to explore adding a validation process similar to Cloudflare Turnstile on your server. This can provide a passwordless authentication method with a token that can be validated server-side, helping to control access.

You definitely need a backend to handle this securely. From there, you can implement various strategies like CORS, CSRF protection, and using time-based signed tokens to manage access to your endpoints. Although it's not foolproof, combining these methods can significantly reduce the risk of abuse.

CORS can help a bit, but it’s not a complete solution since any endpoint accessible by your client can be hit by other HTTP clients as well. While you can filter certain headers and use CORS to allow specific domains, all these measures can be spoofed. If you're worried about endpoint visibility, you might want to rethink what you're trying to protect.