Reputation: 2126
Protect a web api from begin called by other apps
I am developing an asp.net web api app, and using OWIN and identity to implement oauth for my aplication security. For each registered user, I also save a client id and hash as described here. But I dont want other developers be able to use my api and create their own app using the client id (and other credentials) they have.
Is it possible ?
Upvotes: 0
Views: 94
Answers (1)
Reputation: 1318
First thing first, you have to encrypt your network traffic between mobile device and API. Because attackers can obtain sensitive data (which is API Token in this case) via proxy . Also you need to do SSL Pinning because of you need to be sure about public key is yours, otherwise attackers manage to get sensitive data again with same method. ( Please check out : https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning )
You shouldn't authenticate users with username/password. I suggest to you use api key, therefor you can send user actions to server side like following patterns.
https://example.com/api/APIKEYOVERHERE/action
Als you can watch this talk about Secure Your API - Tips for REST + JSON Developers. https://www.youtube.com/watch?v=FeSdFhsKGG0
Upvotes: 1
Related Questions
- How to restrict others from using your web api except your app users?
- What I have to do to block requests if it is outside of my web application?
- How to prevent arbitrary client apps from using anonymous web API?
- protecting an API written in asp.net 5 / web api 2
- How to protect a Web API using ASP.NET 5 MVC 6
- how to secure a Web Api
- How to make sure that all call to asp web api is authorized?
- How to protect ASP.NET Web API 2
- Secure MVC4 c# webapi so that only my app can access it
- Security in Web Api