I'm building a node/express backend. I want to create an API that only work with my reactjs frontend (private API).
Imagine if this is an e-commerce website, my users will browse products and will then choose what to buy and at the time of order they might or might not login.
What is the best practice to make sure my APIs will only work with my reactjs frontend?
What happens when users decide to login or if they remain as guests?
Apply CORS - server specifies domains allowed to request your API.
How does it work?
Clients that do respect CORS (browsers do) will be (or will not be if denied) able to connect. If client ignores CORS (REST clients, CLI tools, ...) it will be able to connect no matter what...
Still, require signed requests (authorisation)