I am facing the same issue. Setting the cors in middlewares.js does not block direct API calls. My configuration is
{
name: 'strapi::cors',
config: {
enabled: true,
origin: ['http://localhostsdfsg:1337'],
methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
headers: ['Content-Type', 'Authorization', 'Origin', 'Accept'],
}
},
This does block the admin console and spits the error “http://localhost:1337 is not a valid origin”. However, direct API calls still work from any origin.