JavaScript domains restriction


We utilize the Companies House API to automatically complete company information in our application.

In the API settings for our app, we have limited the “JavaScript domains” to only some domains. Despite this, we’ve noticed that we can successfully use this API key with an HTTP client and still receive a valid response.

curl -u :

This leads us to question the functionality of the JavaScript domains restriction. Does it depend on an HTTP header for enforcement?