[mort96]

Cookies are sent with every request, including to every image or script file or style sheet etc etc. When sent as a separate header, you only set it to API requests.

[mewpmewp2]

You could use the Path prefix to only send to API endpoints where request has to be authenticated?

Or many usually have separate domain/subdomain names for API and static content in the first place.

I think having a separate prefix/subdomain would be generally good practice for defining scope which should be authed as well.