Azure functions must be invoked only by public static web app. How to do that?

giulio francesca 20 Reputation points
2024-05-31T17:19:44.03+00:00

I have a static web app which is accessible from the internet. This web app can invokes a set of azure functions that cannot be called by anyone except for the static web app.

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,937 questions
Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
1,180 questions
0 comments No comments
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 78,161 Reputation points Volunteer Moderator
    2024-05-31T20:31:09.8733333+00:00

    this is not possible.

    the static web app is acting as a proxy to azure function, exposing the azure function end point to the internet. because of the proxy, your static app does not require CORS. this will prevent another browser based javascript app from calling the proxy, but not a desktop/server app.

    this is no different than using a screen scrapper to call a web sites backend. your api should validate the user authenication and data. it should never count on being called by the official app, same as a website postback.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Gulnaz Mushtaq 410 Reputation points MVP
    2024-05-31T19:39:08.46+00:00

    Configure CORS (Cross-Origin Resource Sharing). CORS settings control which origins (domains) are allowed to make requests to your Azure Functions. By default, Azure Functions allow requests from any origin. To restrict it to your static web app, configure CORS settings. In your Azure Functions app, navigate to the “Platform features” section and select “CORS”. Add the origin (URL) of your static web app to the allowed list. For example, if your web app is hosted at https://mywebapp.azurestaticapps.net, add this URL. Save the changes.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.