Are Netlify Functions secure?

Netlify Functions (serverless) do not include built-in authentication, rate limiting, or input validation. Every function endpoint is publicly accessible by default at /.netlify/functions/function-name, and any deployed function can be called by anyone. Without explicit security measures, functions are vulnerable to abuse, data extraction, and denial-of-service. You must implement your own authentication checks, input validation, and rate limiting in each function. UNPWNED detects exposed serverless function endpoints and tests them for common vulnerabilities including missing authentication and information disclosure.