Securing a modern Drupal site interacting with remote front-end framework

Lock security down a bit with CORS:

parameters:
   # [...all other parameters cut from this example; you should start by copying default.services.yml...]
   # Configure Cross-Site HTTP requests (CORS).
   # Read https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
   # for more information about the topic in general.
   # Note: By default the configuration is disabled.
  cors.config:
    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['content-type']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['POST']
    # Configure requests allowed from specific origins.
    allowedOrigins: ['https://example.net']
    # Sets the Access-Control-Expose-Headers header.
    exposedHeaders: false
    # Sets the Access-Control-Max-Age header.
    maxAge: false
    # Sets the Access-Control-Allow-Credentials header.
    supportsCredentials: false

This doesn’t list anywhere where that it’s limited to JSON:API, but that’s not the point of CORS— it tells your browser not to communication with remote