How to limit the referer for clientid/client secret

In serverless mode
Mean the front request directly squidex for get contents.
How secure the client access. The client id and secret is embed in front application, how to protect them ?
Can we specify a referer for limit the problem ?

How would a referrer solve your problem? It is only a http header, everybody can fake it.

I would use fine grained permissions to create a client with the minimum needed privileges.

Thank you for your answer
Yes, you right, it’s relatively easy to forge a fake referer. But forge once or use a proxy that update referer are not easy for all, use without referer protection is easiest and accessible for all…
When you use googlemap api, referer is used, maybe it’s a good start.

But Google Maps is a javascript SDK, it makes no sense to attack from an API.