Depends what you mean by "dev". Between local dev and prod? Sure. But some people use that term for a live (cloud deployed) environment and I'm less certain there should be policy differences here. I just think of all the times a permission issue caused an outage...

Honestly? This paper says very little about what they're actually doing to ensure digital sovereignty, imo.

Vicious.

So old.

And if you click on "Configuration and Usage" on that page, it takes you to a sub-page under "Project Configuration" - but it gets worse, because _that_ page isn't for configuration either! 😑 It has some basic usage stats. At the bottom there's yet another link to take you to the real config area.

Took a look at my dashboard, it was the other way around! When on a project, in the sidebar, there's no top-level item for "Functions", but if you go to the "Logs" sidebar item and expand it, there you have "Functions" - which has both the logs AND config...

I might be dense, but where are the docs for an API to update the function configuration to add an IP to the block list?

Example: serverless function logs. They're buried within the function stuff, but since there are logs for other things, I would expect all of those to be accessible from the same place. (They are not.)

I'm traveling for a bit, so a call isn't likely soon. I think it's info arch, but maybe could solved with some nav? Basically: I look for things where I think they should be, but they aren't there, so I have to go spelunking.

Oh my yes. That UI needs a bit of an overhaul. Difficulty to find what you want/need.

Yes, I'm aware. Just trying to reduce the load on me (the developer) for some basic checks. Question: can a netlify function programmatically block an IP address ad hoc? Then the function could check for possible malicious use and auto block.

What if Netlify put something in front of my function to check the origin header and reject anything that isn't same-origin? (I assume via a config option since this would break existing cross origin functions.)

Doesn't prevent truly malicious actors, but prevents basic curl scripts, etc.

Since this is a static site with no user authentication, I'm not sure any CSRF token implementation would be possible, right?

As for CORS, I can set that header, sure... but the request would already have hit the server and thus be executed by the function.

From those docs it looks like a default rate limit already exists per request IP, is that right? That certainly would help. Blocking is obviously an affirmative action and I'm looking for passive things. Does Netlify enforce the same-origin policy?

Host-restricted serverless functions. Basically I want to be able to send a serverless function a request and know it came from my static site. I'm sure there are various ways to implement this, I'm open!

For context, this is what I use them for:
jordankasper.com/building-a-s...