On limiting serverless functions with Gatsby Cloud

[kelvindecosta]

Hey everyone!

I have gone through the documentation regarding Functions with Gatsby Cloud.
I'm relatively new to serverless functions and I have a few security concerns:

• Is it possible to limit the invocation of these functions?

  The standard tier is quite generous with 25k invocations.
  Still, I want to prevent an "attacker" from making mass requests.

• Is it possible to cache serverless function responses?

  Assuming a user requests for /api/hello-world, can the response be cached?
  This would prevent multiple requests for the same unchanging response.

• Is it possible to ensure that requests are made only from within the main site?

  Assuming a clever attacker discovers the API endpoint, say /api/function,
  is it possible to ignore requests made directly to this endpoint or accept only those sent by the main website's source code?
  I'm not entirely sure if this idea has anything to do with CORS middleware or authentication headers.

I have a feeling that these concerns might be trivial to the more experienced developer.
Any guidance is appreciated!

Thank you!

[mlgualtieri]

This is a really great question, thanks for asking!

Is it possible to limit the invocation of these functions?

First off, you should determine if this is in your threat model. If you don't expect this to be an issue then I wouldn't think too much about it.

That said, the solution to the problem is a combination of authentication and rate limiting. You essentially need to track the state of valid user connections and ensure that not too many are being processed.

A hypothetical scenario could work like this:

• The user authenticates into your application and is given a JTW.
• You pass this JWT to the Gatsby Function to ensure it's a valid user connection
• You could also track on the backend (in a database or some other way) the connections coming into the function
• If the user reaches some threshold you could artificially slow down the processing of the function or dump them out with an HTTP error code (e.g. an HTTP 429 - Too Many Requests).

All that said, you may see one flaw in the above. What if a user just keeps flooding connections to the function and doesn't care how long they take to process? That's certainly an issue, and one that would require additional infrastructure in place (like a Web Application Firewall) to analyze the traffic and shut it down. It may not be feasible to architect such a solution in your case, but we are also here to help. If you feel like your function in the Gatsby Cloud is being abused, please contact support and let us know.

Is it possible to cache serverless function responses?

I don't believe there is a built in way to cache serverless function responses, but you could certainly build something into your application. For example, you could return your serverless response with a timestamp field, then build logic in client-side to not retrieve a response until the cached response has met your threshold. This is a great way to handle accidental client-side calls to a function, like if a user hits a button two times in a row. It won't protect against abuse, but it will help limit valid activity within your application.

Is it possible to ensure that requests are made only from within the main site?

You hit the nail on the head; the answer is CORS. You can set Access-Control-Allow-Origin headers within your Gatsby Function to ensure that you are only replying to calls from a valid endpoint. You could do this like so, for example, if you only wanted to accept connections from gatsbyjs.com:

res.setHeader(Access-Control-Allow-Origin, https://gatsbyjs.com`);`

[KyleAMathews]

On caching & functions, see this doc https://support.gatsbyjs.com/hc/en-us/articles/1500009143521-Deploying-Functions-on-Gatsby-Cloud

[kelvindecosta]

Thank you @mlgualtieri for such a detailed response!

I think I have a much better understanding about functions from a security perspective!

Also, thank you @KyleAMathews for the reference to caching.