Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Mila Pandurska 43 posts 190 karma points
    Feb 08, 2018 @ 15:25
    Mila Pandurska
    0

    WebAPI simple security

    Hi, I want to create Umbraco WebAPI controller with one method which will return some simple data - text and image. A mobile app will make the requests to my webApi Controller. I want to apply some very simple security on my WebAPI to prevent requests from other applications if they accidentally know the url to the api. How can I achieve this?

  • Kevin Jump 2343 posts 14890 karma points MVP 8x c-trib
    Feb 08, 2018 @ 18:54
    Kevin Jump
    0

    Hi

    for simple security, you could pass an additional hashed parameter to your api call that could be used to validate each request.

    you could for example do a simple MD5* hash of the date with a secret key and then pass both to your API.

    so some psudo code : for createing a hash

    var hash = MD5.CreateHash(timestring + "secretkey")
    

    then on your api,

    void myapi(parameter, string datestring, string key)
    {
       var hash = MD5.CreateHash(timestring + "secretkey");
       if (hash != key) {
         // invalid
       }
    }
    

    this is simple and also not super secure - but hard enough for casual bypasses not to be able to do anything - the problem is your mobile app will contain your key and so if they deconstruct that - they can manufacture how your key is made.

    There are other ways to secure things with encryption keys, and tokens, and you can use HMAC Attribute keys on api signatures to move checks like this away from the api signiture (so your api doesn't need to accept the key, it is done via an attribute) but they are probably a bit less simple.

    *people will say MD5 is not secure and can be cracked and maybe you should use something else - (like SHA) again that is all doable, just moves away from the "simpleness" element of it all.

Please Sign in or register to post replies

Write your reply to:

Draft