I am building a website using ReactJS and AWS Lambda + API Gateway. All of my site api endpoints are secured with requiring the user to authenticate using Auth0. I also have lambda authorisers for my API Gateway to validate the bearer token (let's call it SET1).
Now, I am building a "Contact Us" page where a user should be able to fill up a form and submit it WITHOUT being logged into the site. And I am capturing that data into a DynamoDb table using a new set of API Gateway and Lambda function (let's call it SET2).
I was trying to develop a lambda authoriser which will check few things i.e. request origin, referrer etc. But since these request headers can be spoofed, I was wondering whether there is any way to protect this SET2 endpoint?
PS: In case you think my approach for the "Contact Us" page is wrong, would you please advice a better approach to doing it, keeping in mind that the user DOES NOT need to login to use this feature?
Any suggestions/guidings is highly appreciated.
This is a quite common scenario, especially with contact forms.
The way this is typically handled is using CSRF tokens and reCaptcha. Neither of which is specific to AWS itself, but are general mechanisms with which you can protect your endpoints.
reCaptcha or similar mechanism is what can actually protect it. It is not bulletproof, but will prevent majority of spam if you set the threshold properly. Cloudflare also has their own alternative to this: Turnstile ( https://www.cloudflare.com/products/turnstile/ ). That's what you commonly see on websites as "I'm not a robot" checkbox. In case reCaptcha/Turnstile suspects it's a malicious user, they'll ask them to perform certain challenges: find squares on a picture that has certain item, fill out letters from a blurry image shown etc.
CSRF has a bit of a different purpose (so that other website doesn't craft requests on user's behalf), but if it can't be reused and is rotating, it will stop somebody from simply spamming your endpoint without even accessing the form.
===================
Please note that neither of these adds extra "security" - your endpoint is still publicly accessible. It'll just be hard for somebody to spam it with automated scripts.