Does CORS completely eliminate CSRF attack for a MERN stack app that uses session-based auth?
My current setup: I have backend & frontend hosted on completely different domains. From backend I’m sending back an httpOnly cookie that contains session id. Frontend checks login status by hitting /user/status.