1

I made a Google Cloud function, but it returns data even when I type in the URL in an incognito window. How do I make my Google Cloud functions only available for myWebsite.com or localhost?

sdfsdf
  • 5,052
  • 9
  • 42
  • 75

1 Answers1

3

This is not possible to fully enforce. When you make an HTTP endpoint, you should expect that it could be accessed from anywhere, and that the access may have headers that do not match what a web browser would normally send.

Doug Stevenson
  • 297,357
  • 32
  • 422
  • 441
  • Aren't cloud functions used to read/write databases? Where is the security? Just hope no one figures out your Cloud Function endpoints? – sdfsdf May 13 '18 at 06:01
  • You can require that only Firebase authenticated users can access your endpoint, but you have to write some code in the function itself. Or use new "callable" functions. – Doug Stevenson May 13 '18 at 06:09
  • What if I'm not using Firebase or any other kind of account managing service? (I'm trying to build a website that fetches data from a Google Sheet) – sdfsdf May 13 '18 at 06:13
  • Then you can expect that your function can be invoked from anywhere by anyone with an internet connection. What you're asking is common for all endpoint hosting services. – Doug Stevenson May 13 '18 at 06:17
  • https://softwareengineering.stackexchange.com/questions/229859/how-to-avoid-unauthorized-use-of-an-api – Doug Stevenson May 13 '18 at 06:19
  • Interesting. It's odd why URL restriction for Cloud Functions isn't implemented given that you can with a regular Node server and cors https://www.npmjs.com/package/cors#configuring-cors – sdfsdf May 13 '18 at 06:45
  • If cors meets your needs, then use it with Cloud Functions. – Doug Stevenson May 13 '18 at 06:58
  • I don't think that's possible because cors is for servers, not cloud functions? – sdfsdf May 13 '18 at 07:56
  • So I can't use cors – sdfsdf May 13 '18 at 16:23
  • There are many examples of using cors with Cloud Functions, so use that if it meets your needs. But it won't stop anyone with an internet connection from directly invoking your HTTP endpoint hosted by Cloud Functions. – Doug Stevenson May 13 '18 at 16:41