Azure functions must be invoked only by public static web app. How to do that?

Question

I have a static web app which is accessible from the internet. This web app can invokes a set of azure functions that cannot be called by anyone except for the static web app.

Answer 1

this is not possible.

the static web app is acting as a proxy to azure function, exposing the azure function end point to the internet. because of the proxy, your static app does not require CORS. this will prevent another browser based javascript app from calling the proxy, but not a desktop/server app.

this is no different than using a screen scrapper to call a web sites backend. your api should validate the user authenication and data. it should never count on being called by the official app, same as a website postback.

Answer 2

Configure CORS (Cross-Origin Resource Sharing). CORS settings control which origins (domains) are allowed to make requests to your Azure Functions. By default, Azure Functions allow requests from any origin. To restrict it to your static web app, configure CORS settings. In your Azure Functions app, navigate to the “Platform features” section and select “CORS”. Add the origin (URL) of your static web app to the allowed list. For example, if your web app is hosted at https://mywebapp.azurestaticapps.net, add this URL. Save the changes.