CODEWITHSUNDEEP
asp.net-mvcsecurity
Nil Pun
Nil Pun

Reputation: 17373

Action to only allow request from same webserver

I have a MVC Controller which exposes a Initialise Action. The other virtual web application hosted on same IIS will need to access this Action.

For security reason, only request coming from same web server (where MVC app is hosted) will need to be granted access to this Iniliase method.

Could someone please help how to achieve this? We can't use localhost to validate as this application will be hosted in Azure which doesn't support locahost requests.

Upvotes: 6

Views: 6772

Answers (5)

SilverlightFox
SilverlightFox

Reputation: 33538

My answer is regarding restricting server-side requests.

The website that calls Initialise would need to make a request to http://www.example.com/controller/Initialise rather than http://localhost/controller/Initialise (replacing www.example.com and controller with your domain and controller names of course).

HttpRequest.IsLocal should be checked in your controller action:

if (!Request.IsLocal)
{
    throw new SecurityException();
}

This will reject any requests not coming from the local host. This approach assumes that both the calling site and the requested site share the same IP address - the documentation states that this should work:

The IsLocal property returns true if the IP address of the request originator is 127.0.0.1 or if the IP address of the request is the same as the server's IP address.

For restricting client-side requests Google "csrf mitigation".

Upvotes: 6

jjxtra
jjxtra

Reputation: 21140

If your server has multiple ip addresses, you'll need some extra code. The following handles multiple ip addresses, and handles CDN like cloudflare which will have the wrong ip address in the Request.UserHostAddress property.

Code:

private bool IsLocal()
{
    if (Request.IsLocal)
    {
        return true;
    }
    string forwardIP = Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
    foreach (NetworkInterface netInterface in NetworkInterface.GetAllNetworkInterfaces())
    {
        IPInterfaceProperties ipProps = netInterface.GetIPProperties();
        foreach (UnicastIPAddressInformation addr in ipProps.UnicastAddresses)
        {
            string ipString = addr.Address.ToString();
            if (Request.UserHostAddress == ipString || forwardIP == ipString)
            {
                return true;
            }
        }
    }
    return false;
}

Upvotes: 1

Chris HG
Chris HG

Reputation: 1492

I think Request.IsLocal is the way to go here. Since you're on using MVC, you could implement a custom attribute to do this for you. See my answer here for a working example

Upvotes: 0

Khalid Abuhakmeh
Khalid Abuhakmeh

Reputation: 10839

Use the AntiForgeryToken provided by ASP.NET MVC. Here is an article about that.

http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Upvotes: 0

KrishnaDhungana
KrishnaDhungana

Reputation: 2684

Access-Control-Allow-Origin tells the browser regarding its accessibility to domains. Try specifying:

HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "yourdomain")

I have not tested this to find out if this works.

Upvotes: 0

Related Questions