We have a website in place, from where and API in API Gateway is called. How can I make sure, that that API is called only from app.mydomain.com? Is enabling CORS, "Access-Control-Allow-Origin": app.mydomain.com to fully restrict the access to this API to that particular domain?
Are there any other security best practices for that use case?
If I rely on API keys, they need somehow be part of the web site/app and are hence revealed, right?
Aucun commentaire:
Enregistrer un commentaire