I have a next js application for the frontend and a django REST framework api on the backend. I am using jwt token authentication for my backend using django Simple JWT. Most of my api views are protected by authorization bearer header required.
When my user logs in and is authenticated, my django backend responds with an access and refresh token with http only cookies.
As I build this app I have a question. If I am making some requests to my backend protected routes with getServerSideProps or getStaticProps which don't run on the client, then is it actually necessary to protect some of my backend routes? If getServerSideProps or getStaticProps dont run on the client, then I don't run the risk of anyone making requests to my backend, considering I have CORS_ALLOWED_ORIGINS in my django settings to only allow requests from my frontend.
