Also, try adding this to the CORS Configuration within the S3 Bucket

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

After a few minutes, if you find this working, you can then start narrowing down the CORS rules if needed. 

That's strange. Check your application logs to see what's going on.

 ☒ Can you explain your requirements a bit more? I understand that you're wanting to prevent anything from calling your application except for your application specifically (whether front end or back end). For your particular example with the /users.json, is there any checks in place on that action to only return authorized users, rate limiting, pagination, etc? Is your front end completely separated from the back end?

Unauthorized users should return 401. You should pass a cookie with the session or a JWT to validate a user's access to the resource.

JSONB is more powerful than Hstore in many ways, but if you're looking for simply key-value pairs, hstore still works great. 

Hstore - Released in 8.3
JSON - Released in 9.2
JSONB - Released in 9.4

Hstore and JSONB both support indexing which can make querying the data faster.

 ☒ This feature is complete. You can access it from your user settings https://www.driftingruby.com/users/edit

☒