如何从APIGateway到AWS Lambda的URL仅在特定域中可用 [英] How to make the url from APIGateway to AWS Lambda was available only from a certain domain
问题描述
我有一个无服务器应用程序的配置:Route53,CloudFront,S3Bucket,APIGateway,Lambda. 前端通过API调用Lambda函数.因此,来自API的URL实际上是免费可用的. 攻击者可以获得它并直接调用Lambda函数多次. 如何制作来自API的URL,导致仅在来自特定域的调用下才能访问Lambda? 也就是说,我需要配置APIGateway,使其仅响应特定的Origin标头.怎么做?
I have such a configuration of a serverless application: Route53, CloudFront, S3Bucket, APIGateway, Lambda. The frontend makes a call to the Lambda function via the API. Accordingly, the URL from the API is practically freely available. An attacker can get it and call many times the Lambda function directly. How to Make, URL from API causing Lambda accessible only in case of a call from a particular domain? That is, I need to configure the APIGateway so that it responds only to a specific Origin header. How to do it?
推荐答案
该解决方案非常简单.在我的API的请求方法中,添加了Request Validator -> Validate query string parameters and headers
和HTTP Request Header - "Origin"
,其中指定了所需的域(https://example.com
).
也做了Enable CORS
并将来源"添加到了Access-Control-Allow-Headers
和Access-Control-Allow-Origin specified``https://example.com
当我从客户端调用API时,我通过了Access-Control-Request-Headers: Origin
(尽管可能没有必要).
结果是:直接(从浏览器或使用curl)调用Lambda函数的API会产生:{"message":缺少必需的请求参数:[Origin]"}.
当从另一个不允许的域中调用时,它给出:'Access-Control-Allow-Origin'标头的值https://example.com
不等于提供的来源".
但是,当从https: //example.com
API调用时,触发该操作并启动Lambda函数,这是必需的.
The solution turned out to be quite simple. In the Request Method of my API, I added Request Validator -> Validate query string parameters and headers
, and HTTP Request Header - "Origin"
in which I specified the required domain (https://example.com
).
Also did Enable CORS
and added "Origin" to Access-Control-Allow-Headers
, and Access-Control-Allow-Origin specified``https://example.com
And when I called the API from the client, I passed Access-Control-Request-Headers: Origin
(although maybe it was not necessary).
As a result: the API that calls the Lambda function, when called directly (from the browser or using curl) produces: {"message": "Missing required request parameters: [Origin]"}.
When called from another, not allowed domain, it gives: "The 'Access-Control-Allow-Origin' header has a value https://example.com
that is not equal to the supplied origin".
But when called from https: //example.com
API is triggered and the Lambda function is started, which was required.
这篇关于如何从APIGateway到AWS Lambda的URL仅在特定域中可用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!