I have a website that performs an API request to my backend. I currently verify it comes from my website by checking the origin (bad idea I know). The issue is my website is getting reverse engineered and they spoof the origin.
I need to make sure that they come from my main website and have passed the Cloudflare Challenge. I believe the best way is to verify the cf_clearance cookie, ideally before the request reaches my server as each request takes up time and money. However, if it can be done in ExpressJS or any NodeJS library, I would try this also.