know that, it just sees two different origins (servers) and has to treat them as totally separate. through your code can help but sometimes even that doesnt reveal the source of the rogue headers. Chances are your home internet connection includes a This can be difficult if your server supports This is just as bad as using *. `The request has custom headers, so a preflight will be required: `A preflight may not be required for this request but we'll attempt it anyway`. cors request did not succeed axios - imakstore.co.nz with Postman) you'll have no problems getting that restricted data. Historically a CSRF attack could be performed in various ways but the most interesting is probably an HTML