limit CORS only to /api/*

web/config/initializers/cors.rb

@@ -2,7 +2,7 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
   allow do
     origins Rails.configuration.spa_origin
 
-    resource '*',
+    resource '/api/*',
       headers: :any,
       methods: [:get, :post, :delete, :options],
       credentials: true