0

I have a function that I want to run via HTTP call in a simple script tag, i.e. <script src="https://server-location.cloudfunctions.net/function-name />. I want to make sure that the calls only come from a whitelisted domain, like you can do with cloud storage access requests, for example.

I've seen a couple of suggestions on SO (1 2 3), but they all suggest either a) IAM credentials in the request headers or b) including some security checks in the function itself. These won't work because a) you can't send headers with a script tag and, even if you could, I'd have to store the credentials in the html which is not secure, and b) security checks in the function will not limit the number of calls made to the function, and that's what I want to do (to prevent a horrendous bill).

Is there a way to do this?

crevulus
  • 1,658
  • 12
  • 42
  • There are ways to configure network settings to control ingress and egress traffic to or from Cloud Functions. They are explained in this [doc](https://cloud.google.com/functions/docs/networking/network-settings#gcloud). You can try to "allow the internal traffic only" with specific [Service perimeter](https://cloud.google.com/vpc-service-controls/docs/service-perimeters). Let me know if this is helpful in your use-case. – mdobrucki Feb 01 '22 at 13:20

1 Answers1

1

You can use a HTTPS Load Balancer with your Cloud Functions in a serverless NEG.

Then you can activate Cloud Armor on your Load balancer and set a custom rule. You can use the request.headers map and filter on the "HOST" key to only accept the requester domain that you want.

guillaume blaquiere
  • 66,369
  • 2
  • 47
  • 76