How to whitelist API requests from only specific Webflow website?

bloop

Hi,

I'm trying to figure it out the solution how to secure my embeded POST functions on Webflow website.

Right now, any user is able to see the full endpoint url and therefore can use it on their own.
Is there a way to whitelist requests only from authorized webflow domain or perhaps there's a chance to secure/hide embeded POST functions?

Thank you in advance, pretty new here!

Ray Deck

If the endpoint is unsecured (e.g. no authentication), what you describe becomes a potential point of risk. It's called cross-site resource forgery (CSRF). But you have some options!

One easy path is to look at the $http_headers variable under “env” to see the source/referrer of the request, along with the user-agent. You can apply some rules of thumb to filter out what you think are not-right requests.

For a more secure approach, one can implement a CSRF token but that's much more complicated and code-y because it presumes additional endpoints and logic for managing this situation.

WIth either of these approaches, you can lock down the endpoint function stack to ensure it doesn't do more or reveal more (e.g. the response) than you want it to.