Origin headers etc won't prevent curl scripts. There's no way to prevent curl to set whatever origin header it wants.
For anything in the browser, just verify "application/json" content type and built-in CORS rules will keep you safe.
For anything in the browser, just verify "application/json" content type and built-in CORS rules will keep you safe.
October 17, 2025 at 5:03 PM
Origin headers etc won't prevent curl scripts. There's no way to prevent curl to set whatever origin header it wants.
For anything in the browser, just verify "application/json" content type and built-in CORS rules will keep you safe.
For anything in the browser, just verify "application/json" content type and built-in CORS rules will keep you safe.
Out of the box for your approach, since the function doesn't set CORS header, any calls from a well behaved browser can be trusted to be from the same domain as the function itself.
There's no way I can think of to avoid direct non-browser requests outside of custom code for request forgery tokens.
There's no way I can think of to avoid direct non-browser requests outside of custom code for request forgery tokens.
October 17, 2025 at 4:29 PM
Out of the box for your approach, since the function doesn't set CORS header, any calls from a well behaved browser can be trusted to be from the same domain as the function itself.
There's no way I can think of to avoid direct non-browser requests outside of custom code for request forgery tokens.
There's no way I can think of to avoid direct non-browser requests outside of custom code for request forgery tokens.
You need wildcard routing. Contact support and they can enable on pro plan. It scales to as many subdomains as you need.
The 50 recommendation is for full domain aliases versus subdomains since each of those need to go inside the TLS certificate and you don't want the size of that to explode.
The 50 recommendation is for full domain aliases versus subdomains since each of those need to go inside the TLS certificate and you don't want the size of that to explode.
October 17, 2025 at 9:34 AM
You need wildcard routing. Contact support and they can enable on pro plan. It scales to as many subdomains as you need.
The 50 recommendation is for full domain aliases versus subdomains since each of those need to go inside the TLS certificate and you don't want the size of that to explode.
The 50 recommendation is for full domain aliases versus subdomains since each of those need to go inside the TLS certificate and you don't want the size of that to explode.
Depending on your needs the new credit based plans might work better. You will generally hit free tier limit sooner, but paid plans start at $9 and a lot of things are now just included in the overall bandwidth and requests (analytics, edge functions, rate limits, firewall, img transforms, etc)...
October 17, 2025 at 9:31 AM
Depending on your needs the new credit based plans might work better. You will generally hit free tier limit sooner, but paid plans start at $9 and a lot of things are now just included in the overall bandwidth and requests (analytics, edge functions, rate limits, firewall, img transforms, etc)...