Is there any way to block HTTP requests made by Postman in .NET Core?

Question

I just wanted to know whether is there any way block to HTTP requests made by POSTMAN? Just like browser with the help of CORS allows only specific origins to access a resource. Thanks in advance.

Answer 1

This is maybe old for this question but one of the easiest way to handle such situation is to

app.Use(async (context, next) =>
        {
            if (context.Request.Headers["Referer"].ToString() != "http://localhost:4200/")
            {
                byte[] data = Encoding.ASCII.GetBytes("Not Recognized Request");
                await context.Response.Body.WriteAsync(data);
                return;
            }
            await next();
        });

This is useful for .Net core and must set in startup--> configure section. via this approach you will restrict your API to "Http://localhost:4200" which would be the "Referer" that you want to restrict to. So because postman has no "Referer" it will get "Not Recognized request" as response.

Answer 2

I am not aware of anything that gives away the fact that the request is made via Postman.

At the end of the day, Postman is a simple client so the fact that the request is coming through it, or any other client as a matter of fact is irrelevant. Postman's job is to help talk to APIs and even automate this process.

If you are worried about security then secure your API first. Then you wouldn't really care how you get a request, as long as it's authenticated and actually allowed to talk to your API.

Answer 3

No.

In CORS, it's browser job to block request (or answer), your server does not know "truth" about request. If some power user will disable "following CORS rules" in browser settings/flags - your CORS settings will be ignored.

And even if you will find some "special headers" that POSTMAN will "understand" and refuse to work - there are many other "clients" that can send http(s) requests to server (curl, Fiddler, ...).