Restricting Netlify Functions to App only

cvv · April 7, 2020, 2:55pm

Hi there,

Is there a way to restrict Netlify Functions only to the app run in netlify? For example, not have the function url accessible/callable by the public? I.e. {domain}/.netlify/functions/function-name will be blocked if accessed from the browser, but will be allowed if it’s an API call from the app?

The reason is, I am trying to create an API proxy and have a API service I am trying to pull data from that requires an API key, and I don’t want people to be accessing the data using the {domain}/.netlify/functions/function-name url.

Thanks,
Chris.

DavidWells · April 8, 2020, 10:35pm

Hey @cvv

Yes you can do this. You will want to use the event.httpMethod to block GET requests. An example can be seen here: netlify-functions-workshop/api.js at master · DavidWells/netlify-functions-workshop · GitHub

if (event.httpMethod !== 'POST') {
   return {
      statusCode: 500,
      body: 'ah ah ah didn't say the magic word'
   }
}

Additionally, if you’d like to authenticate the POST requests you can do so by checking the headers or using Netlify identity. netlify-functions-workshop/lessons-code-complete/core-concepts/5-authenication at master · DavidWells/netlify-functions-workshop · GitHub

For more on serverless function authentication strategies see: GitHub - DavidWells/serverless-auth-strategies: How to handle authentication with serverless functions

cvv · April 9, 2020, 10:31am

Thanks David! The authentication method looks like what I’m looking for. I’ll give it a go!

Thanks!

ttntm · April 23, 2021, 12:40pm

+1 thank you David, really great resources you linked to!

perry · July 14, 2021, 8:46pm

hi there vcamp, we haven’t forgotten about you! hope to get some more eyes on this soon.