How can I securely call a web service (.asmx) which is used for internal purposes from Jquery in a ASP.Net Web Forms application?

Question

I have a system which uses Jquery AJAX calls to an .ASMX web service for INTERNAL and STATELESS use. For example, after pressing a button, a Jquery call is launched to insert a new user).

Now, the problem is, that the Jquery AJAX call is dynamically inserted by the user. The user can decide what code of Javascript to put, so he may call a AddUser() function in the web service, or do something else. Then, that piece of code is inserted dynamically and the button will add all the Javascript that the user wrote into the HTML content.

In the case the user decides to call the Jquery and specifically adds a code to call the AddUser() function in the WS, how can I do it securely? How can I assure that this AJAX request is coming from the same domain? I understand that every HTTP Request header can be manipulated, so how can I assure that the AJAX call is coming from the same site? I remind you, the purpose of that web service is for internal uses of the system - so I don't want that an external user will read the JS code and copy it an add users as much as he wants!

I don't want to use tokens or identification. It is a stateless request and I just want to add a user but to have control of who is making the call.

I will be happy to get any suggestion. Thank you in advance!

Answer 1

In my opinion you can't. You either add some kind of authentication (if you have one on the site you may use the same authentication) or render a token on the page which is sent with the AJAX request. Of course in both cases you add some form of state but in my opinion the requirement to originate the request from the same site is a requirement to track state.