Reputation: 439
how to secure a Web Api
I have a 3 tier application - TMG, Web Server App Server. My web server acts as a client to my Web api that is in app Server. The api will only be consumed by the my Web Server. I dont have any login to my application. All the data will be available for public.
For security I am using https/port 443 for communication between different layers.
I also have a network account that i want to use like
HttpClientHandler handler = new HttpClientHandler
{
UseDefaultCredentials = true
};
Client = new HttpClient(handler);
Also i want to add an encrypted authentication token in the request header.
I was reading about http://dotnetopenauth.net/ and Looking for samples of using DotNetOpenAuth with WebAPI -- but it seems very complicated. for someone who is working on web serveices for the first time. Also according to my understanding in dotnetopenauth there is third party identity provided like fb, twitter, google which idont think i need because my application has no login.
- In that case what should i do to my request header and while sending request to web api.
- Also How should i validate the request header in my web api.
I was thinking of add a key to my registry to my web server and encrypt it send accross with request header. Add the same key to the app server decrypt it match it and allow communication. -- Does this make sense.
Let me say this again I have never worked in any form of web services. So I will appreciate a reply with detailed explanation.
Upvotes: 0
Views: 2184
Answers (2)
Reputation: 16463
I did the following on mobile app. Each of these steps is easy to implement:
1. On the client side get the UTC Unix timestamp and convert to string
2. Add a special password (called salt) to the end of the string
3. Convert it to a Sha1 string
4. Now you have 2 extra pieces of data, the timestamp and the resulting hashcode
5. Send the timestamp and hashcode along with the request to your web api
On the Web API side:
1. Create a Unix UTC timestamp. Subtract it from the timestamp that was sent to you, if it's greater than say 10 minutes reject the request.
2. Take the timestamp sent to you, add the salt to the string and hash it, if it equals the hashcode the client sent you then the request is still ok, otherwise reject it.
3. Search an array (or however you want to store values) for the timestamp that was sent to you. If its not in the array then store it in the array. If it is in the array then reject the request. You should be using a timestamp down to millisecond for all of this.
Upvotes: 1
Reputation: 32596
Simplest approach would be to use a client-side certificate in the TLS communication between the Web server and WebApi server. Then in the WebAPI you only accept connections from clients (the web server) with a known certificate.
Upvotes: 0
Related Questions
- How to protect a Web API using ASP.NET 5 MVC 6
- Recommended way to secure ASP.NET 5 Web API application
- Web security for 'special' API
- ASP.NET WEB API 2 Security advice
- Security between .NET MVC and WEB API
- How to protect ASP.NET Web API 2
- How to secure WebAPI application / HTML+JS clients?
- How to implement Authentication and Authorization for my Web API web service?
- Security in Web Api
- Securing Web Services