jujudellago PRO said about 4 years ago on Cross-Origin Resource Sharing (CORS) :
well I didn't plan anything like passing a cookie or JWT for this case, I assumed there would be an easy way to prevent external access..

the json calls are in the same app, I use them to populate some datatables, working as server side. 

after some research I ended up replacing the GET by POST, added the csrf_token to the requests, and got the system secured