Restricting Access to Netlify Functions

I’m working on a Netlify function that will act as a proxy server for a client app that needs to access their Brightcove videos. Brightcove’s API requires a proxy to access it. (here’s an example: Seems like this is a pretty common and well-supported use case for lambda functions (see:

However, every example I’ve found acts as a public proxy, which is not what we want at all. We want to restrict access to the proxy to only the client app. I thought I should be able to do this with the Access-Control-Allow-Origin header, but this demo function I created doesn’t seem to work the way I’d expect. I would think this would block access to anything but a page on, but when I visit the function in my browser, I can see the result just fine.

What am I missing?

exports.handler = async (event, context) => {
  console.log(event, context);
  return {
    statusCode: 200,
    headers: {
      "Access-Control-Allow-Origin": "",
    body: "Hello from the restricted function!"

Deployed at:

1 Like

Welcome to our Netlify community site, @scott-cloud-four. Would our signed proxy redirects meet the requirements here?