Security in BFF
Answered
MateoB posted this in #help-forum
MateoBOP
Hello, I need some help with security in my application. I don't know much about so that's why I ask for help.
The thing is that I have a cloud function that needs to be triggered by the backend, I'm using bff. But the problem is that anyone can call the bff from outside, and you'll say well, use cors and you're done. But I thought that CORS can be bypassed with a cross origin atack right?
I need to call bff only from my application, that's it.
The thing is that I have a cloud function that needs to be triggered by the backend, I'm using bff. But the problem is that anyone can call the bff from outside, and you'll say well, use cors and you're done. But I thought that CORS can be bypassed with a cross origin atack right?
I need to call bff only from my application, that's it.
Answered by joulev
The default cors policy by the browser should already be enough to prevent other frontends from using your backend, no actions needed.
It doesn’t prevent other websites from making server-side proxy to your backend though. To prevent that you gonna need ip-based rate limiting.
It doesn’t prevent other websites from making server-side proxy to your backend though. To prevent that you gonna need ip-based rate limiting.
8 Replies
@MateoB Hello, I need some help with security in my application. I don't know much about so that's why I ask for help.
The thing is that I have a cloud function that needs to be triggered by the backend, I'm using bff. But the problem is that anyone can call the bff from outside, and you'll say well, use cors and you're done. But I thought that CORS can be bypassed with a cross origin atack right?
I need to call bff only from my application, that's it.
Forest bachac
Your backend should never trust client data, and always validate
The client can always send bad data
MateoBOP
But consider that, how can I implement that security?
@Forest bachac Your backend should never trust client data, and always validate
MateoBOP
Yes I mean, that's what I don't want, trust in client data
@MateoB Hello, I need some help with security in my application. I don't know much about so that's why I ask for help.
The thing is that I have a cloud function that needs to be triggered by the backend, I'm using bff. But the problem is that anyone can call the bff from outside, and you'll say well, use cors and you're done. But I thought that CORS can be bypassed with a cross origin atack right?
I need to call bff only from my application, that's it.
if you want to prevent others from using your backend, [it's impossible](https://nextjs-forum.com/post/1245757918788190233#message-1245762152065667143)
@joulev if you want to prevent others from using your backend, [it's impossible](https://discord.com/channels/752553802359505017/1245757918788190233/1245762152065667143)
MateoBOP
That's what I think, so using CORS is sufficient right?
@MateoB That's what I think, so using CORS is sufficient right?
The default cors policy by the browser should already be enough to prevent other frontends from using your backend, no actions needed.
It doesn’t prevent other websites from making server-side proxy to your backend though. To prevent that you gonna need ip-based rate limiting.
It doesn’t prevent other websites from making server-side proxy to your backend though. To prevent that you gonna need ip-based rate limiting.
Answer
MateoBOP
Thanks!