Understanding allowedGraphqlOrigins config

[jesuismaxime]

Hey there, I'm trying to upgrade our Craft CMS starter with a more bullet proof Vue/Apollo/GraphQL setup and I want to block any query from outside.

I already build my controller to fetch a CSRF token and then deliver a GQL Token, but if I set allowedGraphqlOrigins to match my baseUrl, I can't still query datas from Postman (which return a 'null' origin.

Am I missing something about this config setting?

[brandonkelly]

That config setting is only used to set the Access-Control-Allow-Origin header on preflight OPTIONS Ajax request responses (part of CORS). It won’t actually block requests that don’t match the origin value(s).