How to protect public endpoints without authentication and authorization method

Question

How do I prevent that public endpoints can be used out of the context of web app?

I have a web application developed in ReactJS and it consumes a public API developed in C# with Net Core 2.0. Some endpoints are public, it means that these endpoints not use some kind of authentication nor authorization method. So, how I can protect those public endpoints in order to prevent to use them out of the context of my web app, e.g., not consuming the endpoints with Postman for example and prevent to be attacked by a bot.

The Cors are enabled to: origins -> "", headers -> "" and methods -> "*". The app can be used from any part of the world.

A partner told me a crazy idea, when the public endpoint is consumed, not matter how or what, from the endpoint redirect to a web page with a captcha and the endpoint waits until the captcha will be successfully and then it will continue with the transaction.

Answer 1

If a public API does not use any authentication and authorization, you are unable to control its usage (apart from firewall-like features like IP ranges).

A Captcha redirect will not really help you: You lose the possibility to seamlessly use the API in your application: With a simple click on "developer tools" in a browser, everybody is able to call it in a byte-for-byte identical way as when used from your app.

Most likely the easiest solution is to create some sort of auth&auth: Chasing a solution for the unsolvable problem of securing something that is by definition not secured will cost you much ore time, headaches and security holes than just doing it right.