Thank you so much for the explanation, Ozan. I will try with it. 
Would really help others reading this thread if you can accept the answer(s) you think are helpful.
Hi @Venkatesh, CORS is an opt-in model โ it works because web browsers choose to adhere to its rules. All the major web browsers will send the Origin header with the request. This Origin is the web page URLโs fully-qualified domain name, including protocol. Client-side requests running in a web browser cannot set the Origin manually (the web browser blocks it), so you donโt have to worry about client-side requests spoofing your origin. Since it is an opt-in model, non-browser requests can choose to set the Origin to anything, or not set it at all.