Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Marvin Varela 14 posts 35 karma points
    Oct 14, 2015 @ 18:47
    Marvin Varela
    0

    Umbraco API (WebAPI) access issue

    Hi all,

    I implemented an Umbraco API controller on the following path:

    /Umbraco/Api/{Controller}/{Action}?{param1}={value1}&{param2}={value2}

    However, for security reasons /Umbraco/ is blocked in the production, so this API is not accessible in production.

    Is there any way I can change this path to use anything other than /Umbraco/Api?

    Since it is recommended as a good security practice to block /umbraco/ in production, I wonder why it was decided it would be a good idea to use /umbraco/api for this naming pattern.

    Thanks!

  • Nicholas Westby 2054 posts 7103 karma points c-trib
    Oct 14, 2015 @ 19:49
    Nicholas Westby
    0

    How are you blocking /umbraco? If it is by IP, and you open it up by IP, and you are able to log in via the Umbraco backend, you should be able to access the API URL.

    If you are calling that API from the server side, you would want to unblock /umbraco from the IP of the production server.

  • Marvin Varela 14 posts 35 karma points
    Oct 14, 2015 @ 20:18
    Marvin Varela
    0

    Thanks for taking a look.

    It is blocked in IIS, nobody is supposed to be able to login via de Umbraco backend in production, all the content changes are made in staging and then the database is deployed to production as is. Having Umbraco visible on the site was detected as vulnerability by the security team and since nobody is supposed to make any content changes in production, it was decided to completely block it.

    The call to the API is made at the client side, in an AJAX call, so white-listing is not an option.

Please Sign in or register to post replies

Write your reply to:

Draft