I have on my cors.rb
Rails.application.config.middleware.insert_before 0, Rack::Cors do
allow do
origins 'localhost:4000' # later change to the domain of the frontend app
resource '*',
headers: :any,
methods: %i[get post put patch delete options head],
expose: [:Authorization]
end
end
But when I am trying to make some API request with localhost:3000, it works when cors should be blocking it.
I am currently checking only in development.
I even tried to put a fake URL origin (other than localhost) but still localhost:3000 can make API request