Reputation: 5533
How to make a .NET Web Api private to my application only
I've created a new Web Api MVC4 project and built out a RESTful API using API Controllers, then I use regular MVC Controllers to render views using HMTL5/KnockoutJS/JS.
The views interact with the application via the REST Api as such (baseUrl property points to the proper REST endpoint for my given entity):
this.Post = function (entity) {
return $.ajax(baseUrl, {
type: 'post',
data: ko.toJSON(entity),
contentType: 'application/json',
dataType: 'json'
});
};
Now, how can I make it so that ONLY my app can consume (or view) my RESTful API?
Upvotes: 4
Views: 6555
Answers (3)
Reputation: 1009
Use the Authorize Attribute with a Role.
[Authorize(Roles = "Admin")]
public class MyPrivateDataController :ApiController
Upvotes: 0
Reputation: 11581
Yes you can!
Using a message handler or OWIn middleware to check request Url, if they are from your domain, then allow the call to pass through. Otherwise, ignore it.
Upvotes: 1
Reputation: 239200
The best way to handle making something private to your application is always to handle it at a network level. Don't even expose the Web API to the outside world. Put it behind the DMZ and punch a hole through the firewall specifically for your user-facing application. Then, nothing else will be able to touch it.
EDIT
Sorry, I wasn't paying attention to the fact that you're accessing it via AJAX, so what I suggested won't technically work. However, there's still some merit in this approach if you only need client-side access for a handful of endpoints. You can set up actions in your application that merely proxy the request to the private APIs endpoints, and then call the actions on your user-facing application for AJAX, instead of the Web API directly.
However, if everything needs to be available client-side, then you must expose the Web API. At that point, authentication is your only option, but securing that client-side it pretty much impossible (You'd have to store the auth token or the methodology to authenticate client-side, as well, allowing anyone who wants to take a look at your code to emulate what you've done).
Generally, if the code is public (available without having to authenticate), then you only want to expose non-atomic endpoints (GET requests and other things that don't actually make changes to any of your data). Once the user has authenticated with your user-facing application, you can then expose endpoints that are atomic, but it should be limited to only things that they should have access to change. You should also only use their credentials to authenticate with your Web API, instead of some global set of credentials for your application. That way, you can control their access at the Web API level, and deny requests to changes things they should have no access to. Anything more global should only go through your web application, proxying to a truly private Web API as described first in my answer.
Upvotes: 5
Related Questions
- Having Web Api called by only my website
- allow mvc5 c# webapi so that only my app can access it
- How to protect a Web API using ASP.NET 5 MVC 6
- Security between .NET MVC and WEB API
- How do I give only my client access to my API?
- Simplest security for an ASP.NET Web API in MVC 4 to prevent external users from accessing
- How to make a web API private
- how to secure a Web Api
- How to protect ASP.NET Web API 2
- Secure MVC4 c# webapi so that only my app can access it