CODEWITHSUNDEEP
c#asp.netiis
David Salzer
David Salzer

Reputation: 872

How to limit the domains that can call my page/web service

I'm having a web service witch I want to use on several domains. However, I want to limit the sites (domains) that can access my web service.

For example, I want a request made by a page in site www.Site-A.com will execute and a request from www.Site-B.com to deny.

Is there a way to do it with ASP.NET / IIS?

Upvotes: 1

Views: 1509

Answers (2)

AnthonyWJones
AnthonyWJones

Reputation: 189495

If I understand your question correctly you have a web content that may be referenced by other pages outside of your domain. Those pages will have been loaded into a browser then requests from references in those pages will attempt to get content from your site. Does that describe your scenario?

If so then the only chance you have to acheive this is to require that the requests be delivered with a referer header (which is normal but some browsers allow the user to suppress it). You can then examine the content of the referer header in your code to test whether you want to continue with the request.

You can examine the referer with this code:-

 var referer = new Uri(Request.ServerVariables("HTTP_REFERER"));
 if (referer.Host.ToLower() == "www.site-a.com")
    //Allow access

Caveat

This technique can only be used informally, there is no way to authenticate the referer header so anyone can spoof it using fairly simple tools.

Upvotes: 1

Vinay Sajip
Vinay Sajip

Reputation: 99415

You can check the IP address of the remote user and act accordingly. You can use the Referer header of the request, too, but that can be spoofed.

Upvotes: 1

Related Questions