5

What is the best way to stop an attacker from triggering a Cloud Function repeatedly, causing a huge bill or causing the project to run into quota limits?

Some ideas:

Jeff
  • 2,425
  • 1
  • 18
  • 43
  • This is a broad discussion-type question without a correct answer for all types of functions. This was in fact discussed today at length in the Firebase Slack, which is a more appropriate place for this sort of question. http://firebase.community/ – Doug Stevenson Sep 21 '17 at 01:29
  • Did you manage to put Firebase functions behind Cloudflare? Thanks! – dowi Jun 28 '20 at 10:05

1 Answers1

1

Check my answer here.

Short breakdown of items from my answer :

  1. Limit the type of requests
  2. Authenticate if you can
  3. Check for origin
  4. Use a load balancer in between
  5. Use something like Cloudflare Page Rules

Hope it helps :)

Gowtham
  • 11,853
  • 12
  • 43
  • 64
johnozbay
  • 2,192
  • 1
  • 25
  • 28
  • Is it possible to limit the number requests made from a particular IP? My concern is, even if we have authenticate users, anyone can fire on GET requests infinitely and won't it be a problem on billing side? – Ayyappa Apr 19 '18 at 02:36
  • @Ayyappa Not directly using Firebase / Cloud Functions to the best of my knowledge. You can however do two things if this is really important for you. 1) Set up a database to log requesting IPs and check the database for every request. 2) Use something like Cloudflare page rules to apply DNS level limitations / control API access etc. Neither of these are ideal, but I guess that in part a tradeoff of serverless infrastructure. (Until someone makes a native / well-integrated solution that is of course) – johnozbay Apr 19 '18 at 06:36
  • Thank you. Cloudflare is the one I need to explore :) – Ayyappa Apr 20 '18 at 05:09