I have a very big and completely unusual problem in django cors headers. I searched a lot but did not get any results. I have a full stack Django and React project. I determined the back-end of the allowed origins.
When a React project without a proxy (the proxy feature in the package.json file) makes a request to the backend, if that domain is not allowed, SOP stops it, but when it is used with a proxy, it makes a request to the backend even if that domain is not allowed. It can read and display data. It means that another React project on another domain can request and read data with a proxy. It seems to bypass the SOP.
On the backend side, I use the django-cors-headers==3.8.0
package and I read all its documentation, I made all the settings correctly, but I don't know why this bug appeared, please help me.