1

I've searched the netlify docs and I can't figure this out.

I have a serverless function located here 

/.netlify/functions/orderCreate

But I can hit this in my browser or with curl and it tries to create an order. If an attacker finds out about this function they could create thousands fake orders in my db.

I know I can do some simple checks like make sure it is a HTTP post, or make sure it has some valid session ID but I would really like some type of auth or better security.

Because all requests should come from the a client side react app via an ajax request can I limit it to the same domain or something ?

Improve this question

2 Answers 2

Reset to default
4

As Netlify doesn't provide a way to check and specific requests based on origin, you could do it manually from inside your function's code and send a 403 response if the Origin isn't your client-side domain:

exports.handler = function(event, context, callback) {
    if (event.headers["Origin"] !== "https://whateverisyourdomainname.netlify.com")
        return callback(null, { status: 403 })

    // else, do whatever your function does
}

Recent browsers do prevent a user from setting the Origin header himself. However, nothing prevents anyone to craft a curl request and to spoof the Origin header to hit your function. If you wish to really prevent it, you should set-up a proper authentication process to your application.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Could you suggest a proper authentication process for this situation ?
There are many ways to implement an auth process. Netlify itself provides a service for it: docs.netlify.com/visitor-access/identity If you do not want to use this service and already have a user database (I don't know the context of your app), you can also rely on a JWT authentication. It is pretty easy to setup: jwt.io
well that header (or any other header) can be just added to the cURL call or any other client that is being used. this is no proper protection.
Yes it is exactly what is written in the last paragraph of my comment
-1

I'm 4 years too late but hopefully this may help someone. I ran into this issue recently and ended up using Google recaptcha (v3, since its invisible option is not disruptive to user flow) to add a layer of protection to my Netlify function endpoint. Basically I wrapped my entire app (React) in a recaptcha provider, and right before calling the Netlify function, I would get the recaptcha token to send along in the request. The function logic would then verify the token with Google and only if the returned score is satisfactory (like > 0.8), then it would proceed.

This way the function should be as protected as Google recaptcha itself, while not requiring any authentication effort from the users (iirc, recaptcha v3 won't ask users to perform any tasks, it would just assign a low score to the token if it suspects the user is a bot).

Improve this answer

2 Comments

recaptcha is not a replacement for a proper authentication and as good as it is, can be tricked. this answer is misleading.
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.