Hi! How do I secure my websocket api created by the debug stack for live lambda development? My actual api gateway endpoints are secured by lambda authorizers, but the websocket api from the debug stack does not have authorizers. I realize it is only a risk when I run sst start locally and the debug session is running. But still if someone somehow knows my websocket endpoint, and the person somehow knows the required values to construct the payload structure as shown here in SST, the person can connect to the websocket api directly to invoke the lambda from my local machine and bypass the authorizer on the api gateway. I tried and it worked. Are there anything in place or any suggestion to secure the websocket api for live lambda development? I know it's a slim risk but I am asking because this is flagged by infosec. If there is no resolution we may have to stop using sst.

Hey @Lawrence Lau, thanks for bringing this up. You can access the debug stack’s CDK App and Stack by adding using adding a

debugStack

function in your index file like this https://docs.serverless-stack.com/live-lambda-development#tagging-the-debug-stack

The websocket API could be protected using IAM permissions: https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html The initial websocket connection request from your local would have to include the necessary auth headers.

Oh yeah it’s here https://github.com/serverless-stack/serverless-stack/issues/1409