[英]How to restrict a Lambda function to respond only to specific origins?
I want to restrict my Lambda function (created with the Serverless Framework tool) to accept requests only from abc.com
and def.com
. 我想限制我的Lambda函数(使用无服务器框架工具创建)仅接受来自
abc.com
和def.com
请求。 It should reject all other requests. 它应该拒绝所有其他请求。 How can I do this?
我怎样才能做到这一点? I tried setting access control origins like this:
我试图像这样设置访问控制源:
cors: true
response:
headers:
Access-Control-Allow-Origin: "'beta.leafycode.com leafycode.com'"
and like this in the handler: 并在处理程序中这样:
headers: {
"Access-Control-Allow-Origin" : "beta.leafycode.com leafycode.com"
},
but nothing worked. 但没有任何效果。 Any idea why?
知道为什么吗?
The issue with your code is that Access-Control-Allow-Origin
doesn't accept multiple domains . 您的代码存在的问题是
Access-Control-Allow-Origin
不接受多个域 。
From this answer : 从这个答案 :
Sounds like the recommended way to do it is to have your server read the Origin header from the client, compare that to the list of domains you'd like to allow, and if it matches, echo the value of the Origin header back to the client as the Access-Control-Allow-Origin header in the response.
听起来,推荐的方法是让服务器从客户端读取Origin标头,然后将其与您希望允许的域列表进行比较,如果匹配,则将Origin标头的值回显到客户端作为响应中的Access-Control-Allow-Origin标头。
So, when writing support to the OPTIONS verb, which is the verb where the browser will preflight a request to see if CORS is supported, you need to write your Lambda code to inspect the event
object to see the domain of the client and dynamically set the corresponding Access-Control-Allow-Origin
with the domain. 因此,在为OPTIONS动词编写支持时,该动词是浏览器将对请求进行预检以查看是否支持CORS的动词,您需要编写Lambda代码以检查
event
对象以查看客户端的域并动态设置与域对应的Access-Control-Allow-Origin
。
In your question, you have used a CORS configuration for two different types: Lambda and Lamba-Proxy. 在您的问题中,您对两种不同类型使用了CORS配置:Lambda和Lamba-Proxy。 I recommend that you use the second option, so you will be able to set the domain dynamically.
我建议您使用第二个选项,这样您就可以动态设置域。
headers: {
"Access-Control-Allow-Origin" : myDomainValue
},
See more about CORS configuration in the Serverless Framework here . 在此处查看有关无服务器框架中的CORS配置的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.