Passing cookies through lambda functions

I have a react front end on Netlify and a resource on another domain I want to access. I have several use cases, but one of them is a database on Heroku.

I want to keep secrets, including which remote domains I’m accessing, hidden from the client and I thought I could do it with lambda functions. That is, the app calls lambda, lambda calls remote.

The problem I am having is that the remote domain uses server sessions and needs the application to pass the cookie but I don’t know how to make lambda pass it on. I realise this may be seen as a man-in-the-middle attack and may not be possible but any help is appreciated.

FYI, the process works if I hit the remote domain directly instead of using lambda, but I wanted some extra processing to take place before the data is returned to the application.

Sample code, anonymised, is provided:

App.js (React):

const getStuff = () => {
  .get("./netlify/functions/loadstuff", { withCredentials: true })
  //.then, etc


exports.handler = async function (event, context) {
  try {
    const response = await axios.get(
      { withCredentials: true }
    return {
      statusCode: response.status,
      headers: { "Content-Type": "application/json" },
      body: JSON.stringify(,
  } catch (err) {
    return {
      statusCode: err.response.status,
      headers: { "Content-Type": "application/json" },
      body: err.toString(),

anotherdomain loadstuff:

const loadstuff = (request, response) => {
  let result = {
    //a bunch of stuff
  //logic to configure and customise stuff based on caller

Hey @Ormesome,

What happens if you try to get cookies from the request in your lambda and send those as custom sookie headers in your loadstuff.js?

For example:

exports.handler = async function (event, context) {
  try {
    const response = await axios({
      url: "",
      headers: {
        cookie: event.cookie.cookieName
// rest of the stuff

Thank you. This has done exactly what I needed.

1 Like