I currently have a website hosted on Pages, a Cloudflare service that is used to host frontend websites. This service does not allow me to execute code in the backend.
I am currently trying to implement a contact form and need to receive the messages on my personal email when someone fills out the form and submits it. To do this, I have created a lambda function on AWS and exposed it through an HTTPS URL.
The JavaScript on my frontend sends an HTTPS post request to the lambda function with the message, and this lambda function publishes the message to a SNS topic where my email is subscribed.
In the lambda function, I have set CORS to only accept HTTPS requests from my domain name. However, an attacker could potentially fake the headers of the HTTPS request, obtain the lambda URL from the source code of my website, and start calling the lambda function.
What can I do to secure the lambda function and ensure that it only accepts HTTPS requests made by the frontend of my website?
Thanks!
I have been considering moving my frontend to a serverless service like AWS Amplify, but I am not sure how to secure the calls to my lambdas since the JavaScript on my website in the user's browser is making the calls.
You can't.
HTTP is a stateless protocol. Similarly, you can't do this for any other web service (Lambda or not).
JavaScript applications run in the client's browser, so any user can inspect your application, search for any hard-coded keys, and use those to craft an API request using curl, or an HTTP library in any programming language. Clients are insecure by design.
If you want to protect your Lambda Function against unauthorized API calls, you'll need to Authenticate and Authorize your Users (here's a primer). This means you'll need to implement User Create/Login/Logout, issue cookies, and authenticate & authorize each request.
In Lambda specifically, this can be done with AWS Cognito, Auth0, or others combined with API Gateway, using a Lambda Authorizer - or implemented directly in your function.
Identity & Access Management is an entire sub-discipline in web application development, so there's a lot to learn here. I'd suggest starting with any popular library in the language of your choice, and learning from there.