Reputation: 21
Protecting Azure Function Keys in client side application
I have been experimenting with Azure Functions.
I want to call a HTTP Trigger function from a static website via jQuery. I have the static website setup in Azure Blob Storage, using the Verizon CDN. That is all working correctly.
However, I want to limit the access to only my website. I want to secure the Function via the AuthorizationLevel 'Function' - meaning I need to pass the API key with the request. However, this would mean having the key on the static webpage, meaning anyone who viewed the source of the page would be able to get the call and call the Function.
Is there a way I can circumvent this? I had thought about being able to add a HTTPHeader to the CDN? I had also thought about being able to request something on the Function side to only allow certain websites to make the request.
I am a bit lost with this, and perhaps it cannot be done this simply.
Upvotes: 1
Views: 795
Answers (2)
Reputation: 58773
Fundamentally from a security point of view, there is no way (that I know of at least) to authenticate a public client like a browser application. Since the requests must be allowed from user machines without authentication, the endpoints must be left open. Using the function key is pretty pointless if it is distributed to the front-end anyway.
You can use CORS (cross-origin resource sharing) to limit requests to only come from your website. This doesn't prevent someone from making the requests, but it tells browsers not to allow the requests from the wrong origins. Someone could still make requests from a back-end application to your functions (since CORS is ignored there), but it's better than nothing.
Upvotes: 0
Reputation: 1398
Preferably, using the best practices, you should use Verizon Premium CDN, to be able to use routing rules, and then use Azure API Management to abstract the client from your APIs, and have a way to protect them by applying throttling rules, request limit, cache, etc.
The rules you can configure are using URL Rewrite for requests with to your functions( e.g. /api) and the Bypass Cache rule for any requests related to dynamic data that you do not want to cache.
Please have a look at this article on Microsoft documentation that shows the diagram and explains the process.
Upvotes: 1
Related Questions
- Do we need to do extra security (storing inside Key Vault) for our Azure Function App Settings
- Secure authentication JS Client and Azure App
- Securing Azure Function Endpoints used by Public Web App
- What are the ways to secure Azure functions
- Use KeyVault in Azure Functions local development
- How to protect PROD Secrets in Azure Function Code?
- Make Azure Functions not publicly accessible?
- Securing Azure function executions origin when hosted on a Consumption Plan
- Securing an Azure Function
- Keeping secrets in Azure Function Apps