Only allow certain domain to access web api

Question

I have a web api that I have created.

I want to ensure that only certain domain can access this data, I don't want everyone accessing it. Is this something that is achievable? Is it recommended? How would one go about doing this or can anyone point me into the right direction - articles etc...

Thanks all

Answer 1

You could write your own method that validates if the request comes from a certain domain. But I wouldn't recommend using it as security for sensitive data since a domain is easy to spoof. I would strongly recommend to stick with default authentication mechanisms and not invent your own, but validating for a certain domain could be an extra validation.

You could validate the referer domain like this:

var currentReferrer = HttpContext.Current.Request.UrlReferrer.GetLeftPart(UriPartial.Path);
if (currentReferrer != requiredReferrer)
{
            // Not the right domain.
}

But please take the following in account when you do so:

Checking the HTTP Referer header to see if the request is coming from an authorized page is commonly used for embedded network devices because it does not increase memory requirements. However a request that omits the Referer header must be treated as unauthorized because an attacker can suppress the Referer header by issuing requests from FTP or HTTPS URLs. This strict Referer validation may cause issues with browsers or proxies that omit the Referer header for privacy reasons. Also, old versions of Flash (before 9.0.18) allow malicious Flash to generate GET or POST requests with arbitrary HTTP request headers using CRLF Injection.[22] Similar CRLF injection vulnerabilities in a client can be used to spoof the referrer of an HTTP request.

From: Wikipedia: Cross-site request forgery prevention

Answer 2

There is build in "CORS support for ASP.NET Web API" version 2 (MVC5): http://aspnetwebstack.codeplex.com/wikipage?title=CORS%20support%20for%20ASP.NET%20Web%20API