1CORS only affects Browsers
A massive misconception is that CORS protects your API from hackers. It does not. CORS is enforced by the USER'S BROWSER, not the server. A hacker can use Postman, curl, or a Python script to hit your API, and CORS will completely ignore it because those tools don't enforce CORS rules.
