I have on my cors.rb
Rails.application.config.middleware.insert_before 0, Rack::Cors do allow do origins 'localhost:4000' # later change to the domain of the frontend app resource '*', headers: :any, methods: %i[get post put patch delete options head], expose: [:Authorization] endendBut when I am trying to make some API request with localhost:3000, it works when cors should be blocking it.
I am currently checking only in development.
I even tried to put a fake URL origin (other than localhost) but still localhost:3000 can make API request