I've developed a js to help users input there info in a form by fetching public data. Now I'm thinking to deploy it as kind of an API service.
Is it possible and safe enough for HTTP trigger of PaaS's like GCF and Amazon Lambda to be triggered only from specif domains I allow? Like js's fetching and reading its header's origin and check its domain.
I've considered generating passcodes per my customer and placing it in key.js in user's directory or env value, have my js file open on URL, let user website read the js with return of key.js in query param and check its validity.
But forms can be everywhere in cutomers tree, placing it in env for each custmomer can be bothersome at scaling.
CodePudding user response:
This isn't a native GCF feature, but you could try
- Adding a filter in your GCF handler to check the requested domain
- Making your GCF private and letting it ensure callers are authorized (GCP callers)
- Run in Cloud Run, App Engine or another service with Identity Aware Proxy and screen out callers that way
CodePudding user response:
you can use ReCaptcha v3, add the allowed domains that can access your function endpoint, and verify the token is valid on the function implementation.