.. but any desktop can mimick
this same request headers and access the API and I tested with postman
and the API was accessed.
This is true, some http client (e.g. curl) are able to alter the Origin headers when making a request to the server. Thus, CORS should not be your only security measure to protect your App 2.
So I added Authorization header so that all the API functions are
required to authorize the JWT bearer token to be accessed.
Yes, this is a good decision, but you don’t have to protect all api endpoints. You can leave some api open to public, e.g. login or signup.
The problem is how to prevent desktop apps or other non-browser apps
in general from accessing it.because of the …
In general, your App 1 (I’m assuming it’s a JavaScript based web client) should not contains any token on load, instead, it should make a call to App 2’s login API and get a jwt token back.
App 1 can cache the token, and use it when calling protected APIs on App 2.
5
solved How to prevent desktop apps from mimicking browser requests?