When using a Nextjs site if you enable streaming then the lambdas get publicly accessible URLs for use as origins for the CloudFront distribution.
If you have WAF enabled in your CF you may want to prevent the lambda URLs from being invoked directly via the public url, e.g. not via CF. AWS now supports OAC for lambdas and I think it would be secure to have this enabled by default in this case.
Is this currently being worked on? If not, I would like to try implementing this. Couple of questions I had: Should this be controlled by a parameter? Should it default to enabling oac?
When using a Nextjs site if you enable streaming then the lambdas get publicly accessible URLs for use as origins for the CloudFront distribution.
If you have WAF enabled in your CF you may want to prevent the lambda URLs from being invoked directly via the public url, e.g. not via CF. AWS now supports OAC for lambdas and I think it would be secure to have this enabled by default in this case.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-lambda.html