How to secure REST API endpoints served via GCP Cloud Run?

2
votes

I have a simple web site hosted in Firebase and it is making AJAX calls to REST API endpoints in GCP Cloud Run.

I would like to limit these endpoints only to the calls coming from this site hosted in Firebase. Any call coming from any other origin should not be able to use the endpoints. What is the best way to do this?

When I was not using GCP Cloud Run, I was doing a host check on the API side to make sure that request is coming from my client but now with Cloud Run this is not possible. What else could be done?

Please note that the web-site hosted in Firebase is very simple and do not do any user authentication.

1
firebasegoogle-cloud-platformgoogle-cloud-run
Are the REST calls to cloud run being executed by the end-user browser for user's on the Internet? For example, does a user load a web page from Firebase and that web page contains HTML which references JavaScript which then makes the Ajax call from the browser to Cloud Run?Kolban
That's right. Via browser, end user accesses an HTML page hosted on Firebase and user action on the page (e.g: button click) leads to Ajax calls which accesses the api end points in Cloud Run. JavaScript responsible for Ajax calls is also hosted on Firebase.user544799
Why are you setting this constraint? If it's the user browser which make the call, it's easy for anybody to change the origin of the request and to bypass your filter. You could spend too much effort on this for nothing more secure!guillaume blaquiere
Is your browser user authenticated in any other fashion? Oauth or something similar? If not, then things get tricky as from a Cloud Run perspective, your caller will be indistinguishable from any other caller.Kolban

1 Answers

1
votes

Challenge: Restrict access to a Cloud Run service to a single web application, without relying on:

  • Restricting access to the web application
  • Imposing authentication on users

This difficulty is not specific to Cloud Run. It's a general challenge for static sites backed by APIs, and a reason why many sites have authentication. As mentioned in the question comments, a server-side "host" check is not a meaningful security layer, as everything in the HTTP request can be faked. I strongly recommend you not worry about keeping your API private or add user authentication to keep the system simple and access accountable.

If that's not possible, you can still take the authentication approach by creating a single user, embedding the credentials in the site, and rotating them regularly (by redeploy to Firebase Hosting) to prevent credential theft from having indefinite access to your API. Having Firebase Auth in the middle is better than a simple API key because it prevents replay attacks from accessing your API.