Restrict access to the Web API

Asked

Viewed 1,099 times

2

I have a Web API where I restrict access to your methods through the EnableCors, indicating the URL I want to give permission, as follows:

namespace WebService.Controllers
{
    [EnableCors(origins: "http://myapp.net", headers: "*", methods: "*")]
    public HttpResponseMessage GetItem(int id) { ... }
}

That way, if I try to access my controller of an application other than the url "http://myapp.net" the lock happens as expected.

However, when I try to access the direct api, just pasting and accessing in the browser the url of my "www.minhaapi.com. /Getitem/2", blocking does not happen.

I would like to know how best to allow access to my domain-only api x?

c# asp.net-web-api

  • What would be this "block" to avoid copy-and-paste? In my view, it’s all right. That’s how CORS behaves.

1 answer

1

Oops. The same origin policy implemented by browsers, roughly speaking, is just a way to prevent requests from one domain to another (you upload a website in the A domain that makes an asynchronous request for some resource from a B domain).

But this protection does not prevent you from accessing the feature directly through the browser.

So these changes you made to allow cross origin (CORS) are behaving as expected.

Now, by way of example, if you want to block any connection that is not from an IP range, you can think of firewall rules or deny access (reject request) according to the client’s ip in the application itself.

Browser other questions tagged c# asp.net-web-api

You are not signed in. Login or sign up in order to post.