Based on this post (already closed), I was thinking on secure the account linking for my Alexa Skill (only used for Home Assistant).
Another approach which is already working on my environment is by using a Cloudflare Service Token just like it’s described here but I don’t like the idea to set public the function URL because I cannot enable IAM due to the request is generated by Aexa App during account linking.
Do you know if the solution shared by @dsm requires an Enterprise plan? Or it’s enough secure by following the cloudflare docs but setting the Service Auth policy in my Application to Include → Valid Certificate → Any valid certificate will be matched.? cc/ @jklimek
The solution I previously posted about seems to be working just fine, you can have up to 5 firewall rules from memory on the free plan. At some point the certs will expire and I’ll need to refresh but that’s a few years away yet. I’ve confirmed multiple times that devices without the certs get rejected so it seems to be doing it’s job correctly.
The BASE_URL_EX is just the URL without the leading https://. So BASE_URL would be https://something.example.com and BASE_URL_EX would be something.example.com