2
In Defender under Tools > Security Headers, I can make a bunch of security settings.
However, to fix a CORS issue with an Elementor form I run on a page that I map to a different domain (as a landing page) with the multi domain plugin, I changed the list of the allowed domains in the function get_allowed_http_origins() inside http.php. Now it works without a CORS error. However, I have to have an eye on possible changes during updates.
That’s why I would like to place this issue as a feature request for Defender. It would be great if it was possible to edit a list of allowed HTTP origins (e. g. for API calls) within Defender.
