Hey,
sorry - yeah, like expected there's no reliable way to do this. The origin
header for CSR is secure and reliable as long as the request is originated in a browser.
On CLI via curl for example you can for sure manipulate every header.
So, for my case the solution is a combination:
- enforce
Origin
header
- validate
Origin
header
- use public API-token which is bound to a specific domain
- use Akismet as anti-spam tool for incoming data
For sure there's still the way for every "Hacker" to post valid data to the API via CLI. But the application isn't any financial stuf - only comments, mentions and so on. So I will live with it for the moment and see how it works on production.