How to make the url from APIGateway to AWS Lambda was available only from a certain domain


I have such a configuration of a serverless application: Route53, CloudFront, S3Bucket, APIGateway, Lambda. The frontend makes a call to the Lambda function via the API. Accordingly, the URL from the API is practically freely available. An attacker can get it and call many times the Lambda function directly. How to Make, URL from API causing Lambda accessible only in case of a call from a particular domain? That is, I need to configure the APIGateway so that it responds only to a specific Origin header. How to do it? <a href="https://i.stack.imgur.com/zH2N9.png" rel="nofollow"><img alt="enter image description here" class="b-lazy" data-src="https://i.stack.imgur.com/zH2N9.png" data-original="https://i.stack.imgur.com/zH2N9.png" src="https://etrip.eimg.top/images/2019/05/07/timg.gif" /></a>


Sounds like what you want is a <a href="https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html" rel="nofollow">Custom Authorizer</a>. You create an aws lambda that checks the appropriate headers and then allow/reject the request. The result is then cached as well.

However, you'll want to setup some sort of authentication like AWS Cognito as well to verify who is calling your API.


The solution turned out to be quite simple. In the Request Method of my API, I added Request Validator -> Validate query string parameters and headers, and HTTP Request Header - "Origin" in which I specified the required domain (https://example.com). Also did Enable CORS and added "Origin" to Access-Control-Allow-Headers, and Access-Control-Allow-Origin specified``https://example.com And when I called the API from the client, I passed Access-Control-Request-Headers: Origin (although maybe it was not necessary). As a result: the API that calls the Lambda function, when called directly (from the browser or using curl) produces: {"message": "Missing required request parameters: [Origin]"}. When called from another, not allowed domain, it gives: "The 'Access-Control-Allow-Origin' header has a value https://example.com that is not equal to the supplied origin". But when called from https: //example.com API is triggered and the Lambda function is started, which was required.


  • Forcing TLS 1.1 or higher on node.js
  • Possible to use a circle pack layout in d3.js with fixed circle sizes?
  • How to hide combobox toggle button if there is only one item?
  • Why is there a build.gradle and a build.sbt in play framework?
  • R: Easy assignments with empty square brackets? x[]
  • Sorting a listview using jQuery?
  • javascript window.location do I need to escape?
  • Unable to sort the JTable by Date
  • composer self-update TransportException
  • unable to render .html via spring security while .jsp works fine
  • Where does the member variable inside a class allocated?
  • Check if Timer is running
  • Eager Loading with Pagination
  • Downloading articles from multiple urls with newspaper
  • JSON printing all paths from root to leaf
  • No perfect way to detect device orientation on iPad?
  • Reuse jQuery object from an iframe?
  • What is declare var in Node.js?
  • Is js executed after form synchronized submit
  • Accessing parent namespace inside a Shiny Module
  • How to read contents of a directory recursively in Linux Kernel?
  • Joining across databases with dbplyr
  • MVC3 Extension for ValidatorMessage
  • Adding Dynamic Row and Data on Checkbox Click
  • Issue with Terrain Collision using Three.js
  • Find all parks for a given zipcode with google maps
  • Java Collections.shuffle() weird behaviour [closed]
  • Magento-Change Attribute of All Products
  • Is there a better way for handling SpatialPolygons that cross the antimeridian (date line)?
  • How to call jQuery function in HTML returned by AJAX
  • how to snap two objects in runtime in unity?
  • How do I add a mouse over tooltip to an Image using .DrawImage()
  • Another “Cannot make static reference…” Question
  • How to warp text around image in iOS?
  • Jersey serializes character value to ASCII equivalent numeric string
  • How to mutate multiple variables without repeating codes?
  • Simple stitching in c++ using opencv