CORS is not meant to secure an API endpoint A few days ago I came across this article. The author shows how to access a Drupal system in the backend with a Vue.js app. For authentication he uses an API key - and I find that dangerous. Here's why. Tags Drupal Vue.js API