Yes, this way (or probably any other too) you won’t be able to secure the endpoints, at least not the Netlify Functions.
Even if you you setup a redirect rule from
/api/* to your Netlify Function, your actual endpoint (
/.netlify/functions/foo/) is still vulnerable and could be hit by bypassing the redirect altogether. This way, even RBAC can’t save you. They would be able to protect your
/api/* routing, but not the actual endpoint. However, with RBAC you’ve a chance. You could setup a different redirect rule for each function and use RBAC on that. So no one would be actually able to guess the endpoint’s URL and since they can’t know, the only way for them would be to pass through the RBAC checks.
I have a solution that might be useful (I use it currently). You could use Netlify Identity and create a random user with a random email and password. Then, you could pass that user using the Authorisation header to your functions. Inside the functions, you could verify if that Auth token is valid valid user of your website and authorise the function accordingly. To further increase the security, I delete the user inside the function so that no one can exploit the Auth token. It’s not fool-proof (I can explain why if needed), but does add a robust security mechanism.
If this sounds like a workable solution, I can provide you with an example of how I do it. It’s not super practical probably, but gets the job done.
A note though: If by protecting the endpoint you mean that you don’t wish for the functions invocations to be consumed, that won’t be possible. Even if you have any kind of checks inside the function to authorise or deny access, that would be counted as an invocation.