How to limit Firebase HTTP/Callable function request size?

Question

Can we limit the HTTP/Callable function request size that is coming from the client? I know we can check the request with the function once it arrives but then its too late as we need to download the unwanted request first in order to verify it.

I am wondering if there is a way to prevent malicious users from flooding functions with requests of 10 mb in size. First I thought I can block the user once I detect invalid request but I can see now even if the user is blocked nothing is stopping the user from calling the function. I can of course prevent this user from accessing backend features but the request is still sent from the client and I am afraid it may affect the quotas and our bills.

Answer 1

There really is no elegant solution to your problem. Any service with a public endpoint will suffer from the same type of attack and thousands more. You will need to place your endpoints behind load balancers, CDNs and implement attack management with web application firewalls (Cloud Armor).

1. Inbound data transfers are free so this helps mitigate the cost portion.

2. Unless necesary don't publish HTTP callable functions. Call these functions from your other services. This enables load balancers, caching and firewalls.

3. Deploy your functions behind Apigee.

4. Implement smarts into your design to detect attacks and block access using services like Cloud Armor. Simple logic will detect large payloads and then block the offending IP address in the firewall. This requires #2 however.

Answer 2

You're correct - nothing is stopping someone from invoking any callable or HTTP function. But you can't limit the size of the payload differently than the hard limit of 10MB you mentioned. However, it's highly unlikely that someone will do this maliciously. If you would like to see this as a feature, file a feature request.