You should note that Access-Control-Allow-Origin header only prevents browsers from making requests to the API.
The browser still always makes the GET/POST/XXX request.
If CORS fails the browser blocks the received response.
From the API standpoint CORS is never evaluated and these requests show in logs as successful regardless of CORS failures.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hi!
A few notes...
OPTIONS can be made for GET requests if they are not “simple”.
See: developer.mozilla.org/en-US/docs/W...
The browser still always makes the GET/POST/XXX request.
If CORS fails the browser blocks the received response.
From the API standpoint CORS is never evaluated and these requests show in logs as successful regardless of CORS failures.