[durbatuluk]

I think everyone need to remember CORS is a browser-only protection and anything you expose via CORS protected endpoint in reallity has no protection at all. Try cURL reaching any endpoint protected by CORS and you'll see what I mean.

Also browsers automatic sending cookie enable many of these CSRF, consider JWT.

Amazing how PHP is still bitting developers.

[osrec]

If you've taken the time to understand things well, you'll do just fine, even with PHP. Otherwise, the quirks of any language/library/tool may catch you out (it's not just a PHP thing).

[kyle-rb]

cURL being able to access a CORS protected endpoint isn't an issue because cURL doesn't have your cookies.