I’m working on a Netlify function that will act as a proxy server for a client app that needs to access their Brightcove videos. Brightcove’s API requires a proxy to access it. (here’s an example: GitHub - BrightcoveLearning/sample-proxy-apps). Seems like this is a pretty common and well-supported use case for lambda functions (see: GitHub - depadiernos/token-hider-inator: A token/key obscuring function for API calls using Netlify functions.)
However, every example I’ve found acts as a public proxy, which is not what we want at all. We want to restrict access to the proxy to only the client app. I thought I should be able to do this with the Access-Control-Allow-Origin header, but this demo function I created doesn’t seem to work the way I’d expect. I would think this would block access to anything but a page on https://example.com, but when I visit the function in my browser, I can see the result just fine.
What am I missing?
exports.handler = async (event, context) => { console.log(event, context); return { statusCode: 200, headers: { "Access-Control-Allow-Origin": "https://example.com", }, body: "Hello from the restricted function!" }; }; Deployed at: https://baptist-contentstack.netlify.com/.netlify/functions/hello_restricted