One other way to fix CORS issue and prevent your API endpoints to be exposed is to configure Apache2 web server to proxy certain requests, thus making it serve the requests to different domain through the apache installation of the current domain. The other application I can think about would be to hide the web service endpoint.
In order to make apache act as a “proxy” you need to make sure that proxy_http extension is there. In any case, please execute the commands below to install apache proxy module, assuming you are running your apache2 installation on Ubuntu Server Edition.
sudo a2enmod proxy sudo service apache2 restart a2enmod proxy_http sudo a2enmod proxy_http sudo service apache2 restart
After enabling the required proxy_http module, you need to add the following line to the .htaccess file:
RewriteRule /path/to/request/to/be/routed/(.*) http://remote/server/mapped/url/$1 [P]