There is a js script that connects to different sites and makes requests to my API.
What domains will be known to me, and you need to allow only requests from them on the backend.
I found a solution - check the Origin request header. The question is how reliable is this solution?
