Locking down netlify function

jmorris · March 2, 2020, 9:55pm

Hello,

I am running a site that uses netlify functions, the site is a public facing marketing website. It has some forms that handle submitting leads and signing up for service with the company. These forms use lambda functions as their backend, and this has been working fine. We recently noticed a large amount of junk requests hitting one of these lambda function directly and have been trying to determine a way to restrict who can call this function. I did some digging into Identity, but that doesn’t look like it will help us because it’s designed to provide means for authenticating users, which is a concept that we don’t support on this site.

Basically, my question is: how do I restrict what can send requests to a lambda function such that someone can’t simply replay requests and potentially run a denial of service attack against my site?

Dennis · March 2, 2020, 3:22pm

Hello,

One thing to try is setting an access-control-allow-origin header as part of your function’s response. You can set this to be more strict.

If those requests aren’t coming from a browser, you’ll probably need to take a look at the event object and if you can determine a common factor which you can then respond with a 502 (or similar) for those requests.

That said, there isn’t a way completely prevent someone from hitting your function altogether.

Let me know if either of those recommendations work for you.

jmorris · March 2, 2020, 3:56pm

Thanks, I ultimately did find a solution to this. I decided to generate a JWT with a short timeout on the frontend form itself that is then submitted to the function. The function then has to validate the token and its expiration before performing any additional processing.

perry · March 2, 2020, 9:55pm

clever! thanks for sharing your ideas