I can see that

Referer

header has proper address

<http://frontend.domain.com|frontend.domain.com>

- is it safe to use it to block using my backend on some origins?

I need something not spoofable, taht will give me real hostname of frontend using my backend in iframe

You can usually configure it (nginx / Apache httpd) to send you the original hostname used in a custom header. This header is only used by your reverse proxy and it will override / ignore it, when someone outside tries to set the header

Fingers crossed. Let us know how it goes

So i took a look into this. It doesn't help because new headers do not appear. But as I read, CORS can be spoofed easily too, it is client side protection. On backend i have one endpoint which returns HTML, it is intended to be displayed in iframe. But I want to block some users from putting in iframe on their public sites, it doesnt need to be protected from gathering this data at all. In such case Referer would be good enough? If i read well, Referer can be spoofed in postman, curl, custom browser etc. but majority users wont use such tools just to display iframe on someones site

So putting it in simple words and confirming: Can Referer header be set just in JS frontend app?

So you can send headers that define who is allowed to to use it in (i)frames

https://www.w3.org/Security/wiki/Same_Origin_Policy#:~:text=For%20example%2C%20the%20same%2Dorigin,sending%20requests%20to%20other%20origins.

Rule of thumb: Never trust user data. This includes the http headers

In this case, you send header and because “legit” browsers respect them, an attacker would have to get a hacked browser to the victim’s computer before he can work around the headers. This is very unlikely and can’t be counteracted. There is only so much we can do 😉