Is that intentional that you can access the source code of any function on Netlify websites by removing “/.netlify” and adding “.js” to the end?
Like this:
https://example.com/.netlify/functions/hello (function)
https://example.com/functions/hello.js (its source code)
What’s is the best way to protect such access?
A function should not be accessible in that way. I think you might have had your function folder insider your publish folder resulting in your function being deployed. You should ensure that your function folder is not inside your publish folder and let me know if you continue to have issues.
[build]
functions = "functions"
publish = "."
environment = { AWS_LAMBDA_JS_RUNTIME = "nodejs12.x" }
So doing like this is wrong?
If a site doesn’t have a build command, just static files, do I need to put them in a subfolder then?
Is it reflected in docs?
Yes. A repository ultimately bubbles up to a single root folder. If you want to use Functions and have a static site that doesn’t also expose those functions, inherently those two tings have to be separate sub-folders in the repository. Most SSG’s these days do reflect that (e.g. having a src/ folder, the SSG generates a public/ folder, then all repository meta-configs and things are in the root and you can make a functions folder in the root too) – but you will indeed need to move your static files to a sub-folder and change your publish to be that sub-folder.
I believe all of that is reflected in the docs one way or another but I don’t have specific links for you.
–
Jon