CODEWITHSUNDEEP
javascriptaws-lambdaserverlessnetlify
32423hjh32423
32423hjh32423

Reputation: 3088

How do I limit access to my Netlify Serverless function

I've searched the netlify docs and I can't figure this out.

I have a serverless function located here 

/.netlify/functions/orderCreate

But I can hit this in my browser or with curl and it tries to create an order. If an attacker finds out about this function they could create thousands fake orders in my db.

I know I can do some simple checks like make sure it is a HTTP post, or make sure it has some valid session ID but I would really like some type of auth or better security.

Because all requests should come from the a client side react app via an ajax request can I limit it to the same domain or something ?

Upvotes: 1

Views: 837

Answers (2)

Tom Nguyen
Tom Nguyen

Reputation: 39

I'm 4 years too late but hopefully this may help someone. I ran into this issue recently and ended up using Google recaptcha (v3, since its invisible option is not disruptive to user flow) to add a layer of protection to my Netlify function endpoint. Basically I wrapped my entire app (React) in a recaptcha provider, and right before calling the Netlify function, I would get the recaptcha token to send along in the request. The function logic would then verify the token with Google and only if the returned score is satisfactory (like > 0.8), then it would proceed.

This way the function should be as protected as Google recaptcha itself, while not requiring any authentication effort from the users (iirc, recaptcha v3 won't ask users to perform any tasks, it would just assign a low score to the token if it suspects the user is a bot).

Upvotes: -2

damnhotuser
damnhotuser

Reputation: 74

As Netlify doesn't provide a way to check and specific requests based on origin, you could do it manually from inside your function's code and send a 403 response if the Origin isn't your client-side domain:

exports.handler = function(event, context, callback) {
    if (event.headers["Origin"] !== "https://whateverisyourdomainname.netlify.com")
        return callback(null, { status: 403 })

    // else, do whatever your function does
}

Recent browsers do prevent a user from setting the Origin header himself. However, nothing prevents anyone to craft a curl request and to spoof the Origin header to hit your function. If you wish to really prevent it, you should set-up a proper authentication process to your application.

Upvotes: 4

Related Questions