How to secure an API?

This is my scenario. I have a public web-site. There are two types of users:

  1. Anonymous – They are exploring the site, haven’t created a login
  2. Signed Users – Have an account and have logged in.

My question is how to handle anonymous users?
I do not want the API to be accessible to the whole world. CORS is also not a good option, as there are many ways around it.

What are my options?


You can set a custom authorizer function for your function and validate the request before invoking your main function.
Here’s the serverless documentation with an example.