jujudellago PRO said about 4 years ago on Cross-Origin Resource Sharing (CORS) :
As I was struggling to secure my rails app, I thought this tutorial come right on time, unfortunately I'm still having a crucial problem.

While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json.  With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl  for example  ? 

I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....

I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.

is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial
https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs