···13131414### server-side (CAB backend)
15151616-> **note:** the CAB endpoint should only accept requests from your client's origin(s) to prevent
1717-> other websites from abusing it. serving the endpoint from the same origin as your web application
1818-> is the simplest way to enforce this.
1616+> [!WARNING]
1717+> the CAB endpoint should only accept requests from your client's origin. if you have CORS
1818+> middleware set up, you should exclude `/xrpc/dev.atcute.oauth.getClientAssertion` from it.
19192020#### with XRPC router
2121