I have a frontend with an nginx reverse-proxy. Any get request made from it starting with the prefix "api" gets routed to the backend. However I've noticed that this also leads to direct calls to the backend being allowed.
For example, if I click on a button in the frontend (located at "frotend-url") that makes a get request to the backend URI "/api/hello", the proxy turns it into "backend-url/api/hello". However if I make a get request directly from Chrome, curl etc. to "frontend-url/api/hello", this works as well. Is there any way to not allow this?