A good web server will enforce Content Security Policy settings. If you are using something like Express as the web server, the endpoints will set that Content Security Policy. In the case of Single Page Applications hosted on Domino REST API, since release 1.15 by default a strict CSP is applied. But it is possible to change the CSP settings per application.
One of the things I learned when building HCL Volt MX LotusScript Toolkit was that calling a web agent with ?OpenAgent URL populates the NotesSession.DocumentContext with various fields containing useful information from the request. So when I was building agent processing functionality into the POC that became Domino REST API, I utilised the same approach to provide opportunities to pass contextual information across to an agent.
Release 1.1.3.1 of Domino REST API introduces a breaking change in CORS handling. This makes configuration less straightforward, but as the documentation states, it increases the flexibility and probably makes things a lot easier for larger environments. And though regex is not something Domino developers work with regularly, there are tools close to home that can help.
Domino REST API is (in my admittedly somewhat biased opinion) the best easy method for creating a secure REST API into Domino. If you have very strong Java skills, an OSGi plugin using JAX-RS is the standard supported way. If you have good Java skills, Jesse Gallagher's JakartaEE project is the community approach. But even if you have those skills, Domino REST API may provide what you need. It certainly provides what I need for this project.
Earlier this week I was working with Domino REST API for a personal project and encountered what appeared to be a bug. It was a very strange issue, but one that had a simple cause that was ultimately easy to verify. Shortly after joining HCL I wrote a blog post on troubleshooting support. If you didn't read that blog post at the time or need a refresher, it's probably one of the most important blog posts I've ever written and most of what I covered in that blog post was relevant to solving this problem. Coincidentally, what I wrote about understanding in my most recent blog post was also crucial.