Lambda@Edge Auth Gateway
Edge Security for Vendor-Owned Applications
Discovered a publicly accessible vendor application using a static bearer token with no authentication, where sequential user ID enumeration exposed sensitive user data. Designed and deployed a zero-dependency Lambda@Edge JWT validation layer at CloudFront that uses shared parent-domain SSO cookies, so employees are authenticated transparently without modifying a single line of vendor code.
The vendor owned the application code and couldn't modify it. The app had to remain on a public endpoint. Lambda@Edge at the CDN layer was the only approach that met all constraints: no source code access, no vendor cooperation, no downtime.
Sole engineer. Discovered the vulnerability, designed the edge auth pattern, and deployed via Terraform. Recognised at the monthly all-hands.
Highlights
Shared-domain cookie auth
The corporate SSO portal writes a JWT to a shared parent-domain cookie, which is automatically presented to any subdomain. Lambda@Edge extracts the token, validates the RSA-SHA256 signature against a cached JWKS endpoint (1-hour TTL), and checks expiry and group membership (Employee/Contractor/Family/Visitor)
Vulnerability discovery and remediation
Found a static bearer token in the vendor application that allowed sequential user ID enumeration to access sensitive user data. Secrets scanning confirmed the scope of exposure. Designed the edge auth solution independently and deployed the same week
Surgical header management
Authorised requests have heavy auth cookies stripped before forwarding to prevent 431 Header Too Large errors at the origin. Public routes (venue/menu) pass through but purchase endpoints are blocked. Unauthorised users on protected routes get redirected to the SSO login page with a return URL