Click here to Skip to main content
15,881,204 members
Search within:


What is the best way to secure ASP.NET Web API?
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
ASP.NET
MVC
WebAPI
Hello,

Could you please let me know what is the best way to secure the Web API calls.

As you might already know, URL is enough to call and get the data from the Web API if we don't secure it. Ours is a intranet application, but we would like to restrict the access to web api only from the application, not by hitting url from the browser.

Thank you.
Posted
Add a Solution
Comments
Afzaal Ahmad Zeeshan 12-Nov-15 8:31am    
There are many possible answers for this question. They all depend on the purpose of securing, like security from what? Hack attacks, SQL injections, what?

3 solutions

Hi,
For a Intranet Web App , you can Set a private key in your App config.
For every user who first login into your App sends his credential over HTTP and get a unique identifier (Token) which will be used further on every call to HTTP Web API in header. On the Server side, you can decrypt the token using the private key.

This might help you
http://programmers.stackexchange.com/questions/196421/what-are-the-best-practices-to-secure-a-web-api[^]

Thanks
 
Share this answer
 
Posted
Updated 12-Nov-15 2:29am
v2
You need to send your token with each request in the Authorization Header.
Try this out[^].
 
Share this answer
 
Posted
Comments
Ravindranath.net 12-Nov-15 8:26am    
the user comes to our application from a different application which is not a .Net application, and we don't authenticate user other than validation his windows user id against the transaction info they pass. How Can I generate the token in that case?
Web API is actually accessible through HTTP protocol, it doesn't say whether it is accessed by a web browser or an application. Web API would always respond to requests coming on HTTP, web browsers do send the requests through HTTP, that is why Web API is always accessible from a web browser whereas in case of an application you have to use libraries.

Now, the concept of securing them (as already stated in the comment to your question) depends entirely on how you want to secure the application. There may be many ways to do this (to accept a few requests and not accept the others), but simplest would be to add a QueryString to the URL to trigger the Web API, otherwise, send a 503 (Service Unavailable; to the web browser). For example you may consider accepting the URLs like, 

http://www.yourwebsite.com/api/controller?from_app=true


But that still doesn't secure your website, because anyone can write that in the URL that is why you should consider creating and using a token for your users or applications. A token like GUID[^] that cannot be guessed by an ordinary user but your application knows it.
 
Share this answer
 
Posted
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Implementing Security in asp.net MVC and web Api
Securing Web API in .Net
Securing Web API in Single sign-on environment
Connection refused - ASP.NET core 7.0 web api call
JWT configuration ASP.NET core web api
Secure an ASP.NET framework web API using azure AD
Multipart form value post in api in C# ASP.NET web application
What is best approach of generate XML from different parent and child class object in ASP.NET web api and C#
What is the best practice to log http requests in ASP.NET Web API?
How to secure appsetting.json angular web site

Advertise
Privacy
Cookies
Terms of Use
Last Updated 12 Nov 2015
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web04 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900