I would like to know how I can protect my API endpoints. I am using express to make an endpoint, for example website.com/add-project. When a POST request goes to that endpoint the server grabs it and processes it, the thing is I want it to only accept request from the client.js only, the one that processes the form. Otherwise, I can use that endpoint outside of the webpage and send a POST request even if I don’t have access (The POST request comes from an admin-only webpage).
I am already using express-session to store if the user has logged in as admin or not. Maybe I can use that to help this situation. I was thinking of using header authorization but the password would be in the client.js so it wouldn’t be secure. I don’t know much yet so I don’t know if there is something similar to .env but for the client.