Hide / Protect Custom Endpoint

Hello, I have an endpoint I deployed to Google Cloud functions. This endpoint hits a third-party API that I pay for.

How would I prevent a logged in user (I’m using MemberStack) from looking in the network tab on my Webflow website and copying the endpoint information then using it to get around the paywall?

@Donovan_Cotter - without knowing your exact setup my recommendation would be to put a middle layer in that passes data to/from your paid service endpoint. I.e. Webflow sends requests to the middle layer which the user can see, but they would have no visibility beyond that point.

Thanks for the suggestion. Wouldn’t they just be able to call that middleware’s endpoint, which would then call the paid endpoint?

Not a real form of protection, however most Google Cloud endpoints allow you to restrict requestors to those originating from your site. I’m not aware whether you can do that with custom endpoint, but I would expect Google to provide something like that.

It adds only a modicum of challenge to a would-be attacker, but every layer helps.

You can’t disable in any way the developer tools, as @memetican said checking the origin is not a real form of protection, since the origin can be spoofed in a lot of ways. The only think you could do is to create a short time jwt token connected to the memberstack user id and a rate limiter. By doing that, you can limit calls to your endpoint to only logged in users with a valid jwt token, and in case of abuse you already know who is the attacker and can revoke the token to prevent further calls to your endpoint, by using a short jwt of 5 minutes you reduce the attack surface by a lot, but of a price of a totally increased complexity of your server.

Ah good point. I’ll restrict this. It’ll be good enough for launch until out how to add another layer of protection.


Thanks for the response. I think I’m going to go with @memetican 's solution for now.

I want to go the JWT route but haven’t received a clear answer on how to get the JWT from Memberstack within Webflow. I’m waiting on more answers from both Webflow and Memberstack

Until I figure out the JWT I can just restrict the origin