Hello Netlify Community,
I’m building a static Nuxt app that gets some data from a third-party API. It does this via Functions.
The Nuxt app uses Fetch to do a GET call with a query parameter to a Function.
The secret for the third-party API is set as an Environment variable and used by the function to get the data and return it to Nuxt. This all works great!
However these functions can also be called directly, publicly. I would really like to restrict this so that only my Nuxt app can reach these functions. How can I manage this? I found a forum post that shows how to do it by limiting GET request and only allow POST. This would not prevent Curl or Postman type requests from still getting the data.
I also saw examples of how to use Identity in Netlify to only allow authorised users to access data. This would work however my application doesn’t use Identity or any form of user accounts. So how can I make sure the Functions endpoints are only accessible to my Nuxt application?
I tried setting CORS headers but this doesn’t seem to prevent anything in Postman or when visiting the function directly. When trying to use fetch in the browser console on any other site however, the request is blocked by CORS.
What are my options?