Always implement appropriate security measures for API endpoints that perform sensitive operations. This includes:
Verify request authenticity: Ensure requests come from legitimate sources using mechanisms like SDK verification, API keys, or signatures.
Validate HTTP methods: Restrict non-idempotent operations (create/update/delete) to appropriate methods like POST, and reject GET/HEAD requests for these operations.
Example:
exports.handler = async (event) => {
// 1. Verify HTTP method
if (event.httpMethod !== 'POST') {
return {
statusCode: 404,
body: 'Not found'
};
}
// 2. Verify request authenticity
// Using SDK verification or custom validation
const isAuthentic = verifyRequestSignature(event);
if (!isAuthentic) {
return {
statusCode: 401,
body: 'Unauthorized request'
};
}
// Continue with handling the authenticated request
// ...
}
These measures prevent unauthorized access and protect against security exploits where sensitive operations might be triggered unintentionally through link following, bots, or prefetching.
Enter the URL of a public GitHub repository